W32/Rbot-HR is a network worm and backdoor Trojan for the Windows platform.
W32/Rbot-HR allows a malicious user remote access to an infected computer.
W32/Rbot-HR is a network worm and backdoor Trojan for the Windows platform.
W32/Rbot-HR allows a malicious user remote access to an infected computer.
The worm copies itself to winusb.exe in the Windows system folder and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB controler = winusb.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows USB controler = winusb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows USB controler = winusb.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows USB controler = winusb.exe
W32/Rbot-HR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-HR can be controlled by a remote attacker over IRC channels. The infected computer can be used to perform any of the following functions:
Proxy server (SOCKS4)
FTP server
HTTP server
SMTP server
File system Manipulation
Port scanner
DDoS floods (TCP,UDP,SYN)
Remote shell (RLOGIN)
Packet sniffer
Key logger
The following patches for the operating system vulnerabilities exploited by W32/Rbot-HR can be obtained from the Microsoft website:
MS04-011
MS03-026
MS03-007
MS01-059