W32/Rbot-AVZ

Please follow the instructions for removing worms.

W32/Rbot-AVZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AVZ spreads:

- to other network computers infected with Troj/Kuang
- to other network computers by exploiting common buffer overflow vulnerabilities, including LSASS (MS04-011), RPC-DCOM (MS04-012) and PNP (MS05-039)
- by copying itself to network shares protected by weak passwords
and by copying itself to network shares protected by weak passwords.

W32/Rbot-AVZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When W32/Rbot-AVZ is installed it creates the file <System>\svkp.sys.

The file SVKP.sys is registered as a new system driver service named "SVKP", with a display name of "SVKP" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SVKP\

This file may be deleted.

W32/Rbot-AVZ includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP

When first run W32/Rbot-AVZ copies itself to <System>\msnsmgs.exe.

The following registry entries are created to run msnsmgs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msn upddate
mesenger.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msn upddate
mesenger.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
msn upddate
mesenger.exe

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AVZ can be obtained from the Microsoft website:

MS04-011
MS04-012
MS05-039