W32/Rbot-EL is a network worm and backdoor for the Windows platform. W32/Rbot-EL allows a malicious user remote access to an infected computer via IRC.
In order to run automatically when Windows starts up W32/Rbot-EL copies itself to the Windows system folder as fat32.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Fat32 Microsoft = fat32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Fat32 Microsoft = fat32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Fat32 Microsoft = fat32.exe
W32/Rbot-EL terminates the following processes if they exist:
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe
W32/Rbot-EL spreads by exploiting network shares and Microsoft SQL servers with weak passwords, Windows operating system vulnerabilities and backdoors opened by other worms and Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-EL can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059