high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 27 May 2005 13:53:47 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-ADQ is a member of the W32/Rbot family of network worms. The worm can spread to weakly protected network shares, to wekaly protected Micrsoft SQL servers, via NetBIOS, to computers vulnerable to the RPC-DCOM, LSASS, Workstation Service exploits.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ADQ can be obtained from the Microsoft website:
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as msngs.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
data
msngs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
data
msngs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
data
msngs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
data
msngs.exe
Once installed, W32/Rbot-ADQ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
Scan for remote computers to spread to
Act as an HTTP or an FTP server
Participate in distributed denial-of-service (DDoS) attacks
Upload, download, search for, and execute files
Log any keystrokes made on the infected computer
Terminate any security software
Add and delete network shares
|
