W32/Rbot-GPL

Category: Viruses and Spyware Protection available since:21 May 2007 00:00:00 (GMT)
Type: Win32 worm Last Updated:21 May 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-GPL is a network worm and IRC backdoor for the Windows platform.

W32/Rbot-GPL spreads
 - to computers vulnerable to common exploits, including: SRVSVC (MS06-040), RPC
 -DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patches for the operating system vulnerabilities exploited by the
worm can be obtained from the Microsoft website:

MS06-040

MS04-012

MS04-007

W32/Rbot-GPL is a network worm and IRC backdoor for the Windows platform.

W32/Rbot-GPL spreads
 - to computers vulnerable to common exploits, including: SRVSVC (MS06-040), RPC
 -DCOM (MS04-012), ASN.1 (MS04-007), RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
 - to MSSQL servers protected by weak passwords
 - to network shares protected by weak passwords

The following patches for the operating system vulnerabilities exploited by the
worm can be obtained from the Microsoft website:

MS06-040

MS04-012

MS04-007

W32/Rbot-GPL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When W32/Rbot-GPL is installed it creates the file <System>\WinSecUp.exe.

The following registry entries are created to run WinSecUp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
WinSecUp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft
WinSecUp.exe

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy