Sophos

W32/Rbot-ASZ

Aliases
  • Backdoor.Win32.Rbot.agl
  • W32/Sdbot.worm.gen.l
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 21 October 2005 15:06:11 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Rbot-ASZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ASZ may spread to remote network shares with weak passwords or by exploiting any of the following system vulnerabilities: RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007).

W32/Rbot-ASZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-ASZ copies itself to <System>\svch32.pif.

The following registry entries are created to run svch32.pif on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SVCH Service
svch32.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCH Service
svch32.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
SVCH Service
svch32.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SVCH Service
svch32.pif

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
SVCH Service
svch32.pif

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
SVCH Service
svch32.pif

HKCU\Software\Microsoft\OLE
SVCH Service
svch32.pif

HKLM\SOFTWARE\Microsoft\Ole
SVCH Service
svch32.pif

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer