W32/Rbot-GSN

Please follow the instructions for removing worms.

W32/Rbot-GSN is a worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-GSN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), RPC-DCOM (MS04-012) Symantec (SYM06-010) and ASN.1 (MS04-007). The worm may also spreads via network shares and removable storage devices.

W32/Rbot-GSN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-GSN includes functionality to download, install and run new software.
  

W32/Rbot-GSN is a worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-GSN spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), RPC-DCOM (MS04-012) Symantec (SYM06-010) and ASN.1 (MS04-007). The worm may also spreads via network shares and removable storage devices.

W32/Rbot-GSN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-GSN includes functionality to download, install and run new software.

When first run W32/Rbot-GSN copies itself to:

<System>\<random>.exe
<Root>\<random>.exe

and creates the file <Root>\autorun.inf.

W32/Rbot-GSN may also copy itself to existing zip files.

The following registry entry is created to run rwomlysrm.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon32
<System>\<random>.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\<random>.exe
<System>\<random>.exe:*:Enabled:ctfmon32