W32/Rbot-FMZ

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Rbot-FMZ.

W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-FMZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-FMZ may modify the system HOSTS file, preventing access to certain websites.

The worm also contains functionality to download updates, participate in denial-of-service attacks, kill processes, log keypresses and monitor network traffic. The worm also provides a remote command shell. W32/Rbot-FMZ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Rbot-FMZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-FMZ may modify the system HOSTS file, preventing access to certain websites.

The worm also contains functionality to download updates, participate in denial-of-service attacks, kill processes, log keypresses and monitor network traffic. The worm also provides a remote command shell.

When first run W32/Rbot-FMZ copies itself to <System>\svchosl.exe.

The following registry entries are created to run svchosl.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Corp. Host Services
svchosl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Corp. Host Services
svchosl.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Corp. Host Services
svchosl.exe

HKCU\Software\Microsoft\OLE
Microsoft Corp. Host Services
svchosl.exe

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Corp. Host Services
svchosl.exe

The following lines may be added to the system HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com