W32/Rbot-WL is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-WL may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-WL can receive commands from a remote intruder to:
delete network shares
log keypresses
participate in DDoS attacks
scan other computers for vulnerabilities
steal passwords
steal registration keys for computer games
create administrator accounts
terminate firewall and anti-virus processes
capture video from webcameras attached to the computer
W32/Rbot-WL copies itself to the Windows system folder as "regedit.exe" and
creates the following registry entries in order to run automatically on
computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Registry Settings
regedit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
System Registry Settings
regedit.exe
In addition the worm changes the following registry entries if they
were not set already:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1