Sophos

W32/Rbot-ADJ

Aliases
  • Backdoor.Win32.Rbot.gen
  • W32/Sdbot.worm.gen.y
  • W32.Spybot.Worm
  • TROJ_RBOT.GEN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 27 May 2005 21:34:01 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Rbot-ADJ is a worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-ADJ spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), MSSQL (MS02-039) (CAN-2002-0649) and UPNP (MS01-059) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ADJ can be obtained from the Microsoft website:

MS04-011
MS04-012
MS02-039
MS01-059

W32/Rbot-ADJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-ADJ copies itself to <Windows system folder>\Ad-Aware.exe and creates the following registry entries to run Ad-Aware.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ad-Aware
Ad-Aware.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ad-Aware
Ad-Aware.exe

W32/Rbot-ADJ may also set the following registry entry:

HKCU\Software\Microsoft\OLE
Ad-Aware
Ad-Aware.exe

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer