W32/Rbot-VP is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-VP may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-VP can receive commands from a remote intruder to:
delete network shares
log keypresses
participate in DDoS attacks
scan other computers for vulnerabilities
steal passwords
steal registration keys for computer games
create administrator accounts
terminate firewall and anti-virus processes
capture video from webcameras attached to the computer.
W32/Rbot-VP copies itself to the Windows system folder and creates the following registry entries to run itself automatically on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall
t1ktik.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Sygate Personal Firewall
t1ktik.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall
t1ktik.exe
W32/Rbot-VP also sets the following registry entries, if they are not already set:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous
1