W32/Rbot-ZC is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
When run W32/Rbot-ZC moves itself to the Windows System folder as a hidden, read-only, system file named sys.exe.
The worm then creates the following registry entries so as
to run itself on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall
sys.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal Firewall
sys.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall
sys.exe
Once installed, W32/Rbot-ZC will attempt to perform the following actions when instructed to do so by a remote attacker:
scan ports
delete network share folders
participate in distributed denial of service (DDoS) attacks
download and run files from the Internet
steal CD game keys
log keystrokes
capture clipboard data
create an HTTPD server
create a SOCKS4 server
perform DCC file transfers over IRC channels
capture screen displays and images from web cameras