W32/Rbot-AAG

Please follow the instructions for removing worms.

W32/Rbot-AAG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Rbot-AAG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.

W32/Rbot-AAG spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-AAG copies itself to the Windows system folder with the filename NTOKSRNL.EXE and creates entries at the following locations in the registry with the value "NT Service" so as to run itself on system startup, resetting these values multiple times every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-AAG also sets the following registry entry with the same value to point to itself:

HKCU\Software\Microsoft\OLE

W32/Rbot-AAG attempts to set the following registry entries every 2 minutes:

HKLM\Software\Microsoft\OLE
EnableDCOM
"N"

HKLM\System\CurrentControlSet\Control\Lsa
restrictanonymous
"1"

W32/Rbot-AAG attempts to delete network shares on the host computer every 2 minutes.

W32/Rbot-AAG attempts to terminate a number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE.

W32/Rbot-AAG may attempt to log keystrokes to the file K.DAT in the Windows system folder.