W32/Rbot-GXL

Category: Viruses and Spyware Protection available since:15 Feb 2009 03:09:18 (GMT)
Type: Win32 worm Last Updated:15 Feb 2009 03:09:18 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-GXL is a worm and IRC backdoor Trojan for the Windows platform.

When run W32/Rbot-GXL copies itself to <System>\vghhost.exe and creates the files:
<System>\packet.dll - this file can be safely removed
<System>\wpcap.dll - this file can be safely removed
<System>\drivers\npf.sys - this file can be safely removed

W32/Rbot-GXL spreads via networks shares encrypted with weak passwords as well as using the LSASS (MS04-011) vulnerability exploit.

W32/Rbot-GXL sets the following registry entries:

HKCU\Software\Microsoft\OLE
Visual Graphic
vghhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Visual Graphic
vghhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Visual Graphic
vghhost.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy