W32/Rbot-DVD

Category:	Viruses and Spyware	Protection available since:	26 May 2006 00:00:00 (GMT)
Type:	Win32 worm	Last Updated:	26 May 2006 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-DVD is a worm for the Windows platform.

W32/Rbot-DVD spreads
- to computers vulnerable to common exploits, including: RPC-DCOM (MS04-012) and WKS (MS03-049)
- to MSSQL servers protected by weak passwords
- to network shares

When first run W32/Rbot-DVD copies itself to <System>\filereg.exe.

The following registry entries are created to run filereg.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ActiveX File Registration Service
filereg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ActiveX File Registration Service
filereg.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ActiveX File Registration Service
filereg.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ActiveX File Registration Service
filereg.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
ActiveX File Registration Service
filereg.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
ActiveX File Registration Service
filereg.exe

HKCU\Software\Microsoft\OLE
ActiveX File Registration Service
filereg.exe

HKLM\SOFTWARE\Microsoft\Ole
ActiveX File Registration Service
filereg.exe

W32/Rbot-DVD attempts to reset thes registry entries periodically.

W32/Rbot-DVD attempts to terminate a large number of processes related to anti-virus and security software.

W32/Rbot-DVD modifies the HOSTS file, appending the following lines to prevent access to the websites listed:

0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.zango.com
0.0.0.0 zango.com

Try Sophos products for free
Download now

W32/Rbot-DVD

Free Mac Anti-Virus

Popular topics