W32/Rbot-EN is a network worm and backdoor for the Windows platform. W32/Rbot-EN allows a malicious user remote access to an infected computer via IRC. The worm also contains keylogging and file transfer capabilities.
In order to run automatically when Windows starts up W32/Rbot-EN copies itself to the Windows system folder as ethernet32m.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsRegKey%update = ethernet32m.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WindowsRegKey%update = ethernet32m.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsRegKey%update = ethernet32m.exe
W32/Rbot-EN spreads by exploiting network shares and Microsoft SQL servers with weak passwords, Windows operating system vulnerabilities and backdoors opened by other worms and Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-EN can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059