W32/Rbot-AD

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Rbot-AD.

W32/Rbot-AD is a network worm. The worm also contains backdoor Trojan
functionality, allowing unauthorised remote access to the infected computer via
IRC channels while running in the background as a service process.

W32/Rbot-AD spreads as a result of the backdoor Trojan element receiving the
appropriate command from a remote user. To spread the worm attacks network
shares with weak passwords, Microsoft SQL servers with weak administrator
passwords, operating system vulnerabilities and backdoors opened by other
worms. W32/Rbot-AD is a network worm. The worm also contains backdoor Trojan
functionality, allowing unauthorised remote access to the infected computer via
IRC channels while running in the background as a service process.

W32/Rbot-AD spreads as a result of the backdoor Trojan element receiving the
appropriate command from a remote user. To spread the worm attacks network
shares with weak passwords, Microsoft SQL servers with weak administrator
passwords, operating system vulnerabilities and backdoors opened by other
worms.

W32/Rbot-AD copies itself to the Windows system folder as SMSS32.EXE and
creates the following registry entries so that it is run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Services

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Services

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Services

W32/Rbot-AD may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-AD may try to delete the network shares on the host computer.