W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.
W32/Rbot-ETT spreads
to computers vulnerable to common exploits, including: RPC-ETTCOM (MS04-012) and WKS (MS03-049)
to MSSQL servers protected by weak passwords
to network shares
W32/Rbot-ETT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.
W32/Rbot-ETT spreads
to computers vulnerable to common exploits, including: RPC-ETTCOM (MS04-012) and WKS (MS03-049)
to MSSQL servers protected by weak passwords
to network shares
W32/Rbot-ETT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Rbot-ETT copies itself to <Windows system folder>\msconfigs.exe.
The following registry entries are created to run msconfigs.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe
HKCU\Software\Microsoft\OLE
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Configoration Service
msconfigs.exe