W32/Rbot-FMN is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-FMN spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
When first run W32/Rbot-FMN copies itself to <System>\bootini.exe.
The following registry entries are created to run bootini.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Patch Update
bootini.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Patch Update
bootini.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft Patch Update
bootini.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patch for the operating system vulnerability exploited by W32/Rbot-FMN can be obtained from the Microsoft website:
MS04-012