high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 26 October 2004 19:48:10 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Rbot-NZ.
More Information
W32/Rbot-NZ is a network worm and IRC backdoor for the Windows platform.
W32/Rbot-NZ spreads through various operating system vulnerabilities and through network shares protected by weak passwords. Patches for the operating system vulnerabilities exploited by W32/Rbot-NZ can be obtained from Microsoft at:
MS04-011
MS03-039
MS03-007
MS01-059
W32/Rbot-NZ is a network worm and IRC backdoor Trojan for the Windows platform. When first run the worm copies itself to the Windows system folder as sysmsvc.exe and creates the following registry entries to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsWindows SysDate = "sysmsvc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MsWindows SysDate = "sysmsvc.exe"
The backdoor component joins an IRC channel where it awaits further commands from a remote user. The backdoor component can be instructed to perform the following functions:
start an HTTP server
start an FTP server
send email
log keypresses
capture screen/webcams
download/execute arbitrary files
start a port scanner
provide remote shell access (RLOGIN)
start a proxy server (SOCKS4)
W32/Rbot-NZ spreads through various operating system vulnerabilities and through network shares protected by weak passwords. Patches for the operating system vulnerabilities exploited by W32/Rbot-NZ can be obtained from Microsoft at:
|
