W32/Rbot-AEQ

Aliases	WORM_RBOT.BIJ W32.Spybot.Worm W32/Sdbot.worm.gen.h Backdoor.Win32.Rbot.rn
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	3 June 2005 19:44:48 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-AEQ is a member of the W32/Rbot family of network worms. The worm can spread to computers vulnerable to the RPC-DCOM and Workstation Service exploits. The following patches for the operating system vulnerabilities exploited by W32/Rbot-AEQ can be obtained from the Microsoft website:

MS04-012
MS03-049

When first run W32/Rbot-AEQ copies itself to <Windows system folder>\msixec32.exe.

The following registry entries are created to run msixec32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Internet Executor 32
MSIXEC32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Internet Executor 32
MSIXEC32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Internet Executor 32
MSIXEC32.exe

W32/Rbot-AEQ can be intructed to:

Act as an HTTP or FTP server
Scan for remote computers to spread to
Upload, download, and execute files
Create, delete, start, and stop services

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-AEQ

Summary

Action

More Information