W32/Rbot-GMC is a worm with IRC backdoor functionality for the Windows platform.
W32/Rbot-GMC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-GMC spreads to other network computers:
- by exploiting common buffer overflow vulnerabilities, including:
SRVSVC (MS06-040), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039), ASN.1 (MS04-007), Realcast, RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- networks protected by weak passwords
W32/Rbot-GMC includes functionality to:
- steal computer game keys
- download code from the internet
- terminate security and anti-virus related processes
- record keystrokes
- perform DDoS attacks
When run W32/Rbot-GMC copies itself to <System>\nzm23.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Svchost local services
nzm23.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Svchost local services
nzm23.exe
The following registry entries are set:
HKCU\Software\Microsoft\OLE
Microsoft Svchost local services
nzm23.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
Registry changes may be made under:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
SCHANNEL\Protocols\PCT1.0\Server\