W32/Rbot-JR

Please follow the instructions for removing worms.

W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor component.

When active W32/Rbot-JR attempts to connect to a remote IRC server and enables a malicious user to remotely control the infected computer via a specific IRC channel. It will also attempt to shut off any AV-related program. W32/Rbot-JR is a member of the W32/Rbot family of worms with a backdoor component.

When active W32/Rbot-JR attempts to connect to a remote IRC server and enables a malicious user to remotely control the infected computer via a specific IRC channel. It will also attempt to shut off any AV-related program.

In order to run automatically when Windows starts up the worm copies itself to the file lshost.exe in the Windows system folder and adds the following registry entries pointing to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Host Service

The worm also adds the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\Generic Host Service = "lshost.exe"

HKCU\Software\Microsoft\OLE\Generic Host Service = "lshost.exe"

and sets the entries:

HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"

W32/Rbot-JR is capable of the following when instructed by an intruder:

- Capture webcam feed
- Search for CDkeys related to games
- Open remote command prompt
- Download/Upload files
- Carry out DDos
- Capture Windows NT/2000 Login password
- Start Keylogger
- Sniff traffic on network