W32/Rbot-APJ

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	28 September 2005 21:42:59 (GMT)
Last updated	17 October 2005 09:08:53 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Rbot-APJ.

More Information

Summary
Action
More Information

W32/Rbot-APJ is a network worm with backdoor Trojan functionality for the Windows platform.

W32/Rbot-APJ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-APJ is a network worm with backdoor Trojan functionality for the Windows platform.

W32/Rbot-APJ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and PnP) and using backdoors opened by other worms or Trojans.

W32/Rbot-APJ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-APJ can be instructed by a remote user to perform the following functions:

capture screen/webcam images
download/execute arbitrary files
log keypresses
packet sniffing
port scanning
start a Proxy server
start a remote shell (RLOGIN)
start a web server
start an FTP server
steal product registration information from certain software
take part in distributed denial of service (DDoS) attacks

The worm copies itself to a file named mswin.pif in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
MS Sys Security
"mswin.pif"

HKCU\SYSTEM\CUrrentControlSet\Control\Lsa
MS Sys Security
"mswin.pif"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Sys Security
"mswin.pif"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Sys Security
"mswin.pif"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Sys Security
"mswin.pif"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Sys Security
"mswin.pif"

HKLM\SOFTWARE\Microsoft\OLE
MS Sys Security
"mswin.pif"

HKLM\SYSTEM\CUrrentControlSet\Control\Lsa
MS Sys Security
"mswin.pif"

Patches for the operating system vulnerabilities exploited by W32/Rbot-APJ can be obtained from Microsoft at:

MS01-059
MS03-007
MS04-011
MS04-012
MS05-039

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-APJ

Summary

Action

More Information