W32/Rbot-GT is a network worm and backdoor Trojan for the Windows platform. W32/Rbot-GT allows a malicious user remote access to an infected computer.
The worm copies itself to a file named regscr32.exe and creates registry entries to run itself on startup under:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The worm may also alter the following registry entries to weaken system security:
HKLM\Software\Microsoft\OLE\
HKLM\System\CurrentControlSet\Control\Lsa
W32/Rbot-GT spreads using a variety of techniques including exploiting weak password on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-GT can be controlled by a remote attacker over IRC channels. The infected computer can be used to perform any of the following functions:
- Proxy server (SOCKS4)
- FTP server
- HTTP server
- File system Manipulation
- Port scanner
- DDoS floods (TCP,UDP,SYN,ICMP)
- Remote shell (RLOGIN)
- Packet sniffer
- Key logger
- Screen/Webcam captures
Patches for the operating system vulnerabilities exploited by W32/Rbot-GT can be obtained from Microsoft at:
MS04-011, MS03-026, MS03-007 and MS01-059.