W32/Rbot-YG is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YG connects to an IRC channel and listens for commands from a remote attacker. The worm may also spread to remote network shares, or by DCC.
W32/Rbot-YG contains functionality to do any of the following:
- participate in denial of service attacks
- provide a remote command shell
- run a file server
- run services
- download updates
- steal software registration keys
- monitor network traffic
When first run W32/Rbot-YG copies itself to the Windows system folder as NXCXTPR.EXE and creates the following registry entries in order to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
nxcxtpr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Office
nxcxtpr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Office
nxcxtpr.exe
The worm may make the following additional registry changes:
HKLM\Software\Microsoft\Ole
EnableDCOM
N
HKLM\System\CurrentControlSet\Control\Lsa
restrictanonymous
1