W32/Rbot-FMO

Category: Viruses and Spyware Protection available since:06 Sep 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:06 Sep 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMO runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS (MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

The following patches for the operating system vulnerabilities exploited by the
worm can be obtained from the Microsoft website:

MS03-049

MS02-039

MS06-040 W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMO runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS (MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

When first run W32/Rbot-FMO copies itself to <System>\WinIp32.exe.

The following registry entries are created to run WinIp32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Sound Verifier
WinIp32.exe

W32/Rbot-FMO sets the following registry entries, disabling the automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft
Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKCR\.key\

The following patches for the operating system vulnerabilities exploited by the
worm can be obtained from the Microsoft website:

MS03-049

MS02-039

MS06-040

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy