Sophos

W32/Rbot-AMR

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 4 September 2005 15:14:06 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

W32/Rbot-AMR is an internet worm and backdoor Trojan for the Windows platform.

W32/Rbot-AMR spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares.

W32/Rbot-AMR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-AMR is an internet worm and backdoor Trojan for the Windows platform.

W32/Rbot-AMR spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AMR can be obtained from the Microsoft website:

MS04-012.
MS05-039.
MS04-007.

W32/Rbot-AMR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AMR copies itself to <System>\ms-dos.pif.

The following registry entries are created to run ms-dos.pif on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS-DOS Security Service
ms-dos.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS-DOS Security Service
ms-dos.pif

W32/Rbot-AMR includes functionality to:

- execute arbitrary commands
- start an FTP server
- steal confidential information
- download, install and run new software, including updates of its software

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MS-DOS Security Service
ms-dos.pif

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MS-DOS Security Service
ms-dos.pif

HKCU\Software\Microsoft\OLE
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Ole
MS-DOS Security Service
ms-dos.pif

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer