W32/Rbot-LZ

Please follow the instructions for removing worms.

W32/Rbot-LZ is a network worm and backdoor Trojan for the Windows platform.

W32/Rbot-LZ allows a malicious user remote access to an infected computer.

The worm copies itself to a random filename in the Windows system folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
educational writer = <filename>.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
educational writer = <filename>.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
educational writer = <filename>.EXE

The following registry entries are also modified:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

W32/Rbot-LZ spreads using a variety of techniques including exploiting weak passworda on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-LZ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-LZ can be used to:

start a proxy server
create screen/webcam captures
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)
send email

Patches for the operating system vulnerabilities exploited by W32/Rbot-LZ can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx