high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 5 October 2004 12:27:27 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-LS is a worm which attempts to spread via remote network shares. The worm contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-LS has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.
The worm spreads to network shares with weak passwords and by using the following exploits:
- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)
The worm moves itself to the Windows system folder as jutsu.exe. W32/Rbot-LS then creates the following registry entries to run itself on computer restart or user logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
jutsu = jutsu.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
jutsu = jutsu.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
jutsu = jutsu.exe
W32/Rbot-LS also sets the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N
W32/Rbot-LS may attempt to :
- capture clipboard data
- delete network shares on the host computer
- enumerate the list of running processes on the computer
and reduce the privileges on these processes
- download and run files from the Internet
- steal computer system information (computer name, available memory,
drive types etc.)
- partake in DoS attacks
Sophos Anti-Virus version 3.85 and above detects this worm as W32/Rbot-Fam
without requiring an update.
|
