W32/Rbot-AWR

Please follow the instructions for removing worms.

W32/Rbot-AWR is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AWR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AWR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including LSASS, WebDAV, PNP and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-AWR can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AWR can be instructed by a remote user to perform the following functions:

start an FTP server
take part in distributed denial of service (DDoS) attacks
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

When first run W32/Rbot-AWR copies itself to <System>\msed32.exe. The following registry entries are created to run msed32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MICROSFT RAMA UPDATE SUPPORT
MSED32.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MICROSFT RAMA UPDATE SUPPORT
MSED32.EXE

The following registry entry is set:

HKCU\Software\Microsoft\OLE
MICROSFT RAMA UPDATE SUPPORT
MSED32.EXE

Patches for the operating system vulnerabilities exploited by W32/Rbot-AWR can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx