Sophos

W32/Rbot-AFP

Aliases
  • Backdoor.Win32.Rbot.pj
  • W32/Sdbot.worm.gen.bg
  • W32.Spybot.Worm
  • WORM_RBOT.BOD
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Protection available since 17 June 2005 12:45:09 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

Check the following items

  • To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
  • The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.

More Information

W32/Rbot-AFP is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AFP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access to and control over the computer via IRC channels.

W32/Rbot-AFP spreads to network computers protected by weak passwords and through a number of software vulnerabilities. W32/Rbot-AFP is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AFP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access to and control over the computer via IRC channels.

W32/Rbot-AFP spreads to network computers protected by weak passwords and through the following software vulnerabilities:

LSASS and IIS5SSL (MS04-011)
RPC-DCOM (MS04-012)
weak administrator accounts on Microsoft SQL servers

When first run W32/Rbot-AFP copies itself to <System>\wintnask32.exe and sets the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintnask32.exe
wintnask32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wintnask32.exe
wintnask32.exe

The following registry entries are also set:

HKCU\Software\Microsoft\OLE
wintnask32.exe
wintnask32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFP can be obtained from the Microsoft website:

MS04-011
MS04-012

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer