W32/Rbot-EK

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Rbot-EK.

W32/Rbot-EK is a network worm and backdoor for the Windows platform.

W32/Rbot-EK allows a malicious user remote access to an infected computer via IRC.

W32/Rbot-EK spreads by exploiting network shares and Microsoft SQL servers with weak passwords, Windows operating system vulnerabilities and backdoors opened by other worms and Trojans.

Patches for the operating system vulnerabilities exploited by W32/Rbot-EK can be obtained from Microsoft at:

MS04-011
MS03-026
MS03-007
MS01-059 W32/Rbot-EK is a network worm and backdoor for the Windows platform.
W32/Rbot-EK allows a malicious user remote access to an infected computer via IRC.

In order to run automatically when Windows starts up W32/Rbot-EK copies itself to the Windows system folder as scvhost.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewalll
= scvhost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Firewalll
= scvhost.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewalll
= scvhost.exe

W32/Rbot-EK terminates the following processes if they exist:

i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe

W32/Rbot-EK spreads by exploiting network shares and Microsoft SQL servers with weak passwords, Windows operating system vulnerabilities and backdoors opened by other worms and Trojans.

Patches for the operating system vulnerabilities exploited by W32/Rbot-EK can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059