W32/Rbot-AFF

Please follow the instructions for removing worms.

W32/Rbot-AFF is an IRC backdoor Trojan and network worm.

W32/Rbot-AFF may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process. The worm exploits the following vulnerabilities: RPC-DCOM (MS04-12), LSASS (MS04-11), WKS (MS03-049) and MSSQL (MS02-039). For patches for these vulnerabilities, see:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

W32/Rbot-AFF can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, create administrator accounts, terminate firewall and anti-virus processes and capture video from webcameras attached to the computer.

When first run W32/Rbot-AFF copies itself to <System>\norten.exe.

The following registry entries are created to run norten.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NortE Antivirus
norten.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NortE Antivirus
norten.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
NortE Antivirus
norten.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1