W32/Rbot-ZE is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-ZE spreads as a result of the backdoor Trojan element receiving the appropriate command from a remote user. To spread the worm attacks network shares with weak passwords, Microsoft SQL servers with weak administrator passwords.
W32/Rbot-ZE copies itself to the Windows system folder as Nxcao.exe and creates
entries at the following locations in the registry so as to run itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Office = "Nxcao.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Office = "Nxcao.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Office = "Nxcao.exe"
W32/Rbot-ZE may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-ZE may try to delete the network shares on the host computer.