high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 25 August 2004 15:25:51 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Scan = regscan.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Registry Scan = regscan.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKCU\[code number]\Software\Microsoft\OLE\
Windows Registry Scan = regscan.exe
and delete it if it exists.
Close the registry editor.
- Check your administrator passwords and review network security.
- Download and install the Microsoft patches mentioned. On standalone computers, update with all relevant security patches from Windows update.
More Information
W32/Rbot-HA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-HA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-HA moves itself to the Windows system folder as REGSCAN.EXE and creates entries in the registry at the following locations in an attmept to run on Windows logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Registry Scan = regscan.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Registry Scan = regscan.exe
W32/Rbot-HA may also create the following registry entry:
HKCU\Software\Microsoft\OLE\
Windows Registry Scan = regscan.exe
W32/Rbot-HA spreads using a variety of techniques including exploiting weak password on computers and SQL servers and exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP).
W32/Rbot-HA can be controlled by a remote attacker over IRC channels.
Patches for the operating system vulnerabilities exploited by W32/Rbot-GO can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059
|
