high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 3 February 2006 22:43:55 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-BYM is a worm and IRC backdoor for the Windows platform.
W32/Rbot-BYM connects to an IRC channel and listens for backdoor commands from a remote attacker.
W32/Rbot-BYM spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
The worm drops a file detected as Troj/Batten-A. W32/Rbot-BYM is a worm and IRC backdoor for the Windows platform.
W32/Rbot-BYM connects to an IRC channel and listens for backdoor commands from a remote attacker.
W32/Rbot-BYM spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
When first run W32/Rbot-BYM copies itself to <Windows system folder>\spxp.exe and creates the file \a.bat. The following registry entries are created in order to run spxp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The Service Pack Loader
spxp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The Service Pack Loader
spxp.exe
The file a.bat is detected as Troj/Batten-A.
|
