W32/Rbot-TK is a worm with backdoor functionality.
W32/Rbot-TK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Rbot-TK will attempt to spread by exploiting the following vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
When first run, W32/Rbot-TK copies itself to the Windows system folder as WINIPCK.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs on, W32/Rbot-TK will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
winipck.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
System
winipck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System
winipck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
System
winipck.exe
W32/Rbot-TK will also set the following registry entries:
HKCU\Software\Microsoft\OLE
System
winipck.exe
HKCU\System\CurrentControlSet\Control\Lsa
System
winipck.exe
HKLM\Software\Microsoft\OLE
System
winipck.exe
HKLM\System\CurrentControlSet\Control\Lsa
System
winipck.exe
The worm runs continuously in the background providing backdoor access to the infected computer.
W32/Rbot-TK will alter the following registry entries in order to enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
W32/Rbot-TK can add and delete network shares and users on the infected computer.