Sophos

W32/Rbot-AEF

Aliases
  • W32.Spybot.Worm
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 2 June 2005 13:22:44 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

W32/Rbot-AEF is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AEF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Sophos's anti-virus products include Genotype detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-AEF (detected as W32/Rbot-Fam) since version 3.88. W32/Rbot-AEF is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AEF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AEF copies itself to <System>\winsys.exe.

The following registry entries are created to run winsys.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows System
WINSYS.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System
WINSYS.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows System
WINSYS.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows System
WINSYS.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows System
WINSYS.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows System
WINSYS.exe

HKCU\Software\Microsoft\OLE
Windows System
WINSYS.exe

HKLM\SOFTWARE\Microsoft\Ole
Windows System
WINSYS.exe

Sophos's anti-virus products include Genotype detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-AEF (detected as W32/Rbot-Fam) since version 3.88.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer