W32/Rbot-PH is a worm which attempts to spread to remote network shares and contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer.
W32/Rbot-PH is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service
process.
W32/Rbot-PH moves itself to the Windows system folder as msnmsgr7.exe and creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSN Start = msnmsgr7.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MSN Start = msnmsgr7.exe
The worm also creates the following registry entry:
HKCU\Software\Microsoft\OLE\
MSN Start = msnmsgr7.exe
W32/Rbot-PH spreads to network shares with weak passwords and via exploiting vulnerabilities including the RPC-DCOM(MS04-012), IIS5SSL(MS04-011) and LSASS(MS04-011) vulnerabilities.
W32/Rbot-PH will also download and execute remote files on the infected computer, log key strokes, retrieve information such as CD keys for various games and flood other computers with network packets.