W32/Rbot-OW is a network worm and backdoor Trojan for the Windows platform.
W32/Rbot-OW allows a malicious user remote access to an infected computer.
The worm copies itself to a file named vsmons.exe in the Windows system folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Security Updaters = vsmons.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Security Updaters = vsmons.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System Security Updaters = vsmons.exe
W32/Rbot-OW may also set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = N
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = dword:00000001
W32/Rbot-OW spreads using a variety of techniques including exploiting weak password on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
W32/Rbot-OW can be controlled by a remote attacker over IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-OW can be obtained from the Microsoft website:
MS04-011
MS03-026
MS03-007
MS01-059