high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2008 (4.30) |
| Protection available since | 12 March 2008 23:34:35 (GMT) |
| Last updated | 15 April 2008 14:12:44 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
The name W32/Rbot-Fam is used where a file belongs to a particular family of worms, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Fam variant.
- Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
- update with the latest IDE files and
- repeat the scan.
- Please send us a sample to assist in improving our technology.
- Use the instructions for removing generically detected files to delete the file from your computer.
- If you require further assistance with disinfection, contact support.
More Information
W32/Rbot-Fam is a family of worms which attempt to spread to remote network shares. The worms also contains backdoor Trojan functionality, allowing a malicious user remote access to the infected computer via IRC channels while running in the background as a service process. The worms have also been seen attempting to spread by email and via Instant Messenging programs.
W32/Rbot-Fam worms usually spread to network shares with weak passwords and via network security exploits, often only spreading as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-Fam worms copy themselves to the Windows system folder. The worms then set themselves to run run on system startup either by creating entries in the registry or by creating a service. If they create entries in the registry the worms often reset them at regular intervals and the entries are most commonly found at the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-Fam worms may set the following registry entries, again often resetting them at regular intervals:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
W32/Rbot-Fam worms may delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer, again often deleting them at regular intervals.
W32/Rbot-Fam worms may attempt to terminate certain processes relating to anti-virus and security programs.
|
