high
Summary
Summary
Action- More Information
| Protection available since | 29 June 2004 07:43:51 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-CC is a member of the W32/Rbot family of worms with backdoor
component.
In order to run automatically when Windows starts up the worm copies
itself to the file goawv.exe in the Windows system folder
and adds the following registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\OutlookExpress
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookExpress
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\OutlookExpress
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\OutlookExpress
The worm also adds the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\0utlook Express = "goawv.exe"
HKCU\Software\Microsoft\OLE\0utlook Express = "goawv.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\0utlook Express = "goawv.exe"
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\0utlook Express = "goawv.exe"
HKLM\SYSTEM\ControlSet001\Control\Lsa\0utlook Express = "goawv.exe"
and sets the entries:
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
When active W32/Rbot-CC attempts to connect to a remote IRC server and
enables a malicious user to remotely control the infected computer via
a specific IRC channel.
|
