W32/Rbot-XD is a worm with backdoor Trojan functionality.
W32/Rbot-XD is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Rbot-XD will attempt to spread by exploiting the following vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
Backdoors left open up by other malware
When first run, W32/Rbot-XD copies itself to the Windows system folder as SVRV.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs in, W32/Rbot-XD will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal 3
svrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal 3
svrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal 3
svrv.exe
The worm runs continuously in the background, providing backdoor access to the infected computer over IRC channels.
W32/Rbot-XD will set the following registry entries in order to disable DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-XD can add and delete network shares and users on the infected computer.
W32/Rbot-XD will attempt to terminate the following processes:
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe
MSBLAST.exe
msconfig.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
regedit.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
teekids.exe
wincfg32.exetaskmon.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe