W32/Rbot-KK is a worm and backdoor for the Windows platform.
The worm spreads by exploiting the Lsass, DCOM-RPC and IIS5SSL vulnerabilities
addressed by MS04-011 and MS04-012.
The backdoor component connects to a predifined IRC server and waits for commands from a remote attacker.
When run W32/Rbot-KK copies itself to the Windows system folder as WINIUPDATES.EXE and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Updater = "WINIUPDATES.EXE"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows Updater = "WINIUPDATES.EXE"
HKLM\Software\Microsoft\OLE
Microsoft Windows Updater = "WINIUPDATES.EXE"
The backdoor component of W32/Rbot-KK makes the following functions available to a remote attacker:
Keystroke logging
Password stealing
HTTP server
FTP server
Socks proxy server
File upload and download
Distributed denial of service attacks
Network packet sniffing
Remote login