high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 5 April 2006 08:18:11 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-CZH is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorized remote
access to the infected computer via IRC channels while running in the
background as a service process.
The worm spreads to network shares with weak passwords and also by using the
LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS04-012).
When run W32/Rbot-CZH moves itself to the Windows System folder as a hidden,
read-only, system file named msdconfig.exe.
The worm then creates the following registry entries so as to run itself on
computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MS Config
msdconfig.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Config
msdconfig.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS Config
msdconfig.exe
The worm sets the following registry entries every two minutes:
W32/Rbot-CZH sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
Once installed, W32/Rbot-CZH will terminate various anti-virus and security
related applications and processes.
|
