W32/Rbot-HA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-HA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-HA moves itself to the Windows system folder as REGSCAN.EXE and creates entries in the registry at the following locations in an attmept to run on Windows logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Scan = regscan.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Registry Scan = regscan.exe
W32/Rbot-HA may also create the following registry entry:
HKCU\Software\Microsoft\OLE\
Windows Registry Scan = regscan.exe
W32/Rbot-HA spreads using a variety of techniques including exploiting weak password on computers and SQL servers and exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP).
W32/Rbot-HA can be controlled by a remote attacker over IRC channels.
Patches for the operating system vulnerabilities exploited by W32/Rbot-GO can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059