W32/Rbot-ABQ

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Close the registry editor.

Check the following items

• To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
• The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
• Check your administrator passwords and review network security.
• Delete the file KES.TXT in the Windows system folder, if it is present.

W32/Rbot-ABQ is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.

W32/Rbot-ABQ also has a backdoor component that allows a malicious user remote access to an infected computer. W32/Rbot-ABQ is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.

W32/Rbot-ABQ spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-ABQ copies itself to the Windows system folder with the filename N0D32KRN.EXE and creates entries at the following locations in the registry with the value "Nod3d2 Free antivirus" so as to run itself on system startup, resetting these values every 8 seconds:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-ABQ also sets the following registry entry with the same value to point
to itself:

HKLM\Software\Microsoft\OLE
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKCU\Software\Microsoft\OLE
HKCU\SYSTEM\CurrentControlSet\Control\Lsa

W32/Rbot-ABQ attempts to set the following registry entries every 2 minutes:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
"1"

W32/Rbot-ABQ attempts to delete network shares on the host computer every 2 minutes.

W32/Rbot-ABQ also has a backdoor component that allows a malicious user remote access to an infected computer.

When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands.

W32/Rbot-ABQ may attempt to terminate certain processes relating to anti-virus and security programs.

W32/Rbot-ABQ may attempt to overwrite the HOSTS file to prevent access to certain anti-virus websites.

W32/Rbot-ABQ may attempt to log keystrokes to the file KES.TXT in the Windows system folder.