W32/Rbot-LE is a worm which attempts to spread via remote network shares.
W32/Rbot-LE contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
The worm has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.
W32/Rbot-LE spreads to network shares with weak passwords as a result of this backdoor Trojan element receiving the appropriate command from a remote intruder.
The worm moves itself to the Windows system folder as msie.exe and creates the following registry entries to run itself on computer restart or user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Ansti Update
msie.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Ansti Update
msie.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Ansti Update
msie.exe
W32/Rbot-LE also sets the following registry entries:
HKLM\SYSTEM\ControlSet001\Control\Lsa
restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"
W32/Rbot-LE may attempt to:
- steal CD keys
- capture clipboard data
- delete network shares on the host computer
- log keystrokes
- capture images from the computer screen and web camera
- enumerate the list of running processes on the computer and reduce the privileges on these processes
- download and run files from the internet
- transfer files via TFTP on port 69
- steal computer system information (computer name, available memory, drive types etc.)
- perform SYN flood and partake in DoS attacks