W32/Rbot-GWR spreads
- to computers vulnerable to common exploits, including: LSASS (MS04-011)
- to network shares protected by weak passwords
When first run W32/Rbot-GWR copies itself to <System>\svehost.exe and creates the following files:
<System>\drivers\npf.sys - clean file, part of WinPcap library; can be safely deleted
<System>\packet.dll - clean file, part of WinPcap library; can be safely deleted
<System>\wpcap.dll - clean file, part of WinPcap library; can be safely deleted
The following registry entries are created to run svehost.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates
svehost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Updates
svehost.exe
The file npf.sys is registered as a new system driver service named "NPF", with a display name of "Netgroup Packet Filter". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NPF
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Microsoft Updates
svehost.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N