W32/Rbot-GYI

Category:	Viruses and Spyware	Protection available since:	10 Feb 2010 06:35:29 (GMT)
Type:	Win32 worm	Last Updated:	10 Feb 2010 06:35:29 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-GYI is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-GYI includes functionality to run automatically.

When W32/Rbot-GYI is installed it creates the file <System>\dhcp.exe.

The following registry entries are created to run dhcp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
LAN
<System>\dhcp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LAN
<System>\dhcp.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St
andardProfile\AuthorizedApplications\List
<System>\dhcp.exe
<System>\dhcp.exe:*:Enabled:LAN

The following registry entry is set:

HKCU\Software\Microsoft\OLE
LAN
<System>\dhcp.exe

W32/Rbot-GYI spreads via network shares by exploiting the following vulnerabilities:

RPC-DCOM (MS04-012)
ASN.1 (MS04-007)
Symantec (SYM06-010)

Try Sophos products for free
Download now

W32/Rbot-GYI

Free Mac Anti-Virus

Popular topics