W32/Rbot-LK

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	4 October 2004 07:56:34 (GMT)
Last updated	30 March 2005 16:32:05 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-LK is a network worm and backdoor Trojan for the Windows platform.

W32/Rbot-LK allows a malicious user remote access to an infected computer.

The worm copies itself to a file named wuamgrd.exe in the Windows system folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wuamgrd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe

The following registry entries are also modified:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

W32/Rbot-LK spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-LK can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-LK can be used to:

start a proxy server
create screen/webcam captures
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)
send email

W32/Rbot-LK attempts to terminate the following processes:

i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe [sic]
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe

Patches for the operating system vulnerabilities exploited by W32/Rbot-LK can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-LK

Summary

Action

More Information