W32/Rbot-AY is a worm and backdoor. The worm spreads by exploiting various
operating system vulnerabilities, weak passwords on shares and SQL servers
and backdoors opened by other worms and Trojans.
W32/Rbot-AY creates a copy of itself named video_32D.exe in the Windows
system folder and adds the registry entries :
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Video drivers
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Video drivers
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NVIDIA Video drivers
The worm can be controlled by a remote attacker via IRC.
W32/Rbot-AY may log user keystrokes and terminate the following processes:
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe