W32/Rbot-AXO

Please follow the instructions for removing worms.

W32/Rbot-AXO is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-AXO spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059) and Dameware (CAN-2003-1030)
- by copying itself to network shares and SQL servers protected by weak passwords

W32/Rbot-AXO runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The backdoor component of W32/Rbot-AXO can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software

Patches for the operating system vulnerabilities exploited by W32/Rbot-AXO can be obtained from Microsoft at:

MS01-059
MS03-007
MS04-011
MS04-012

The worm copies itself to a file named win32.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
blah service
win32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
blah service
win32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
blah service
win32.exe