W32/Rbot-QE is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Rbot-QE spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011).
W32/Rbot-QE is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Rbot-QE spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011).
When run the worm moves itself to the Windows System folder as a read-only, hidden and system file named XPUpdate.exe.
W32/Rbot-QE then creates the following registry entries so as to run itself either on user logon or computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update
XPUpdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe
Once installed, W32/Rbot-QE will attempt to log keystrokes, partake in distributed denial of service (DDoS) attacks, download and run files from the Internet, steal CD keys, login to MS SQL servers and send EXEC commands to open a command shell on the server when instructed to do so by a remote attacker.