high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 September 2005 04:26:09 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-AON is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AON spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: ASN.1 (MS04-007) and PNP (MS05-039).
W32/Rbot-AON runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AON includes functionality to:
- perform port scanning
- carry out DDoS flooder attacks
- silently download, install and run new software
- steal information
When first run W32/Rbot-AON copies itself to <System>\msdx.exe.
The following registry entries are created to run lserv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Micr0s0ft Ms D0s
msdx.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Micr0s0ft Ms D0s
msdx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Micr0s0ft Ms D0s
msdx.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Micr0s0ft Ms D0s
msdx.exe
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Micr0s0ft Ms D0s
msdx.exe
HKLM\SOFTWARE\Microsoft\Ole
Micr0s0ft Ms D0s
msdx.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Micr0s0ft Ms D0s
msdx.exe
HKCU\Software\Microsoft\OLE
Micr0s0ft Ms D0s
msdx.exe
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AON can be obtained from the Microsoft website:
|
