high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 11 October 2004 13:09:12 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-MK is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background.
W32/Rbot-MK spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-MK copies itself to the Windows system folder as IEXPLORER.exe or with a random name and creates entries in the registry at the following locations to run itself on Windows Login:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
kernel32sys.dll = IEXPLORER.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
kernel32sys.dll = IEXPLORER.exe
W32/Rbot-MK spreads using a variety of techniques including exploiting weak password on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-MK can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
|
