W32/Rbot-WS is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-WS may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
The vulnerabilities exploited by the worm include the LSASS exploit (MS04-011) and the RPC-DCOM exploit (MS04-012).
W32/Rbot-WS can receive commands from a remote intruder to:
delete network shares
log keypresses
participate in DDoS attacks
scan other computers for vulnerabilities
steal passwords
steal registration keys for computer games
terminate firewall and anti-virus applications
capture video from webcameras attached to the computer
W32/Rbot-WS copies itself to the Windows system folder and creates the following registry entries in order to run automatically on computer log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Dns Resolver
dnsrslve.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Dns Resolver
dnsrslve.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Dns Resolver
dnsrslve.exe
The worm also hardens the computer against further attack by setting the following registry entries if they are not already set:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous
1