Sophos

W32/Rbot-MB

Aliases
  • Backdoor.Win32.Rbot.gen
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 7 October 2004 09:03:43 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Rbot-MB is a network worm and backdoor Trojan for the Windows platform.

W32/Rbot-MB allows a malicious user remote access to an infected computer.

In order to run automatically when Windows starts up W32/Rbot-MB creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall Start = services32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall Start = services32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Sygate Personal Firewall Start = services32.exe

W32/Rbot-MB spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-MB can be controlled by a remote attacker over IRC channels.

Patches for the operating system vulnerabilities exploited by W32/Rbot-MB can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer