W32/Rbot-MA

Please follow the instructions for removing worms.

Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/Rbot-Fam without requiring an update.

W32/Rbot-MA is a network worm and backdoor for the Windows platform.

The worm spreads to network shares and computers with unpatched operating system vulnerabilities.

The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.

The worm copies itself to a file named taskmrg.exe in the Windows system folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Start Upping = "taskmrg.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Start Upping = "taskmrg.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Start Upping = "taskmrg.exe"

The following registry entries are also modified:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

W32/Rbot-MA spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC and LSASS) and using backdoors opened by other worms or Trojans.

W32/Rbot-MA can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-MA can be used to:

start a proxy server
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)

Patches for the operating system vulnerabilities exploited by W32/Rbot-MA can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx