Sophos

W32/Rbot-AKA

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Protection available since 5 August 2005 09:29:17 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Rbot-AKA is a network worm with backdoor Trojan functionality for the Windows platform.

W32/Rbot-AKA spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS and WKS) and using backdoors opened by other worms or Trojans.

W32/Rbot-AKA can be controlled by a remote attacker over IRC channels. W32/Rbot-AKA is a network worm with backdoor Trojan functionality for the Windows platform.

The worm copies itself to a file named tskmgr.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS taskmanager
"tskmgr.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS taskmanager
"tskmgr.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS taskmanager
"tskmgr.exe"

The worm may also set the following registry values:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
"N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001

W32/Rbot-AKA spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS and WKS) and using backdoors opened by other worms or Trojans.

W32/Rbot-AKA can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AKA can be instructed by a remote user to perform the following functions:

  • start an FTP server
  • start a Proxy server
  • start a web server
  • take part in distributed denial of service (DDoS) attacks
  • log keypresses
  • capture screen/webcam images
  • packet sniffing
  • port scanning
  • download/execute arbitrary files
  • start a remote shell (RLOGIN)
  • steal product registration information from certain software

Patches for the operating system vulnerabilities exploited by W32/Rbot-AKA can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer