W32/Rbot-GVR

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	4 January 2008 04:28:49 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-GVR is a worm and IRC backdoor Trojan for the Windows platform.

When run W32/Rbot-GVR copies itself to <Windows>\servidevice.exe and creates the file <Windows>\Chirstmas-2007.zip which is also detected as W32/Rbot-GVR. The zipfile contains a copy of the worm with the filename img2007-12.JPEG.scr.

W32/Rbot-GVR sets the following registry entry to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ryan1918
servidevice.exe

W32/Rbot-GVR spreads via MSN Messenger. It will attempt to send a copy of the worm with any of the following messages:

'Christmas photo! :D'
'Hey i que hace el ßlbum de foto! Si vea el loL del em'
'vengo de fi este foto ßlbum'
'xmas photo!: D'
'haha :D'
'lol, christmas pictures off me'
'hola, My Christmas picture for you :)'

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-GVR

Summary

Action

More Information