W32/Rbot-AUS

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdobeReaderPro
msnxpsp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AdobeReaderPro
msnxpsp.exe

and delete them if they exist.

Close the registry editor.

W32/Rbot-AUS is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AUS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-AUS can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AUS can be instructed by a remote user to perform the following functions:

start an FTP server
start a web server
take part in distributed denial of service (DDoS) attacks
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

W32/Rbot-AUS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AUS copies itself to <System>\msnxpsp.exe.

The following registry entries are created to run msnxpsp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdobeReaderPro
msnxpsp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AdobeReaderPro
msnxpsp.exe

The following registry entry is set:

HKCU\Software\Microsoft\OLE
AdobeReaderPro
msnxpsp.exe