W32/Rbot-ABN

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Peer-to-peer
Affected operating systems	Windows
Protection available since	30 April 2005 16:01:48 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

W32/Rbot-ABN is a network worm with backdoor Trojan functionality for the Windows platform.

The worm copies itself to a file named winsN2S.exe in the Windows system folder and creates the following registry entries to run itself on system restart or logon:

HKCU\Software\Microsoft\OLE
Windows NetStart Service2
winsN2S.exe

HKCU\System\CurrentControlSet\Control\Lsa
Windows NetStart Service2
winsN2S.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows NetStart Service2
winsN2S.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows NetStart Service2
winsN2S.exe

HKLM\Software\Microsoft\OLE
Windows NetStart Service2
winsN2S.exe

HKLM\System\CurrentControlSet\Control\Lsa
Windows NetStart Service2
winsN2S.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows NetStart Service2
winsN2S.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows NetStart Service2
winsN2S.exe

W32/Rbot-ABN spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-ABN can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-ABN can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software

Patches for the operating system vulnerabilities exploited by W32/Rbot-ABN can be obtained from Microsoft at:

MS04-012
MS03-039
MS03-007
MS01-059

Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-ABN (detected as W32/Rbot-Fam) since version 3.92.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-ABN

Summary

Action

More Information