W32/Rbot-YH is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-YH is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Rbot-YH will attempt to spread by exploiting the following vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
Workstation Service (MS03-049)
Backdoors left open by other worms and Trojans such as W32/Sasser.
When first run, W32/Rbot-YH copies itself to the Windows system folder as NESE.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs in, W32/Rbot-YH will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Neser Experience
nese.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Neser Experience
nese.exe
W32/Rbot-YH will also set the following registry entry:
HKCU\Software\Microsoft\OLE
Microsoft Neser Experience
nese.exe
The worm runs continuously in the background, providing backdoor access to the infected computer over IRC channels.
W32/Rbot-YH can modify the following registry entries in order to enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous
W32/Rbot-YH can add and delete network shares and users on the infected computer.