W32/Rbot-OX

Aliases	Backdoor.Win32.Rbot.gen W32/Sdbot.worm.gen.i
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	4 November 2004 09:14:43 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Configurator = "NetConfs.exe "

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Networks Configurator = "NetConfs.exe "

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Rbot-OX is a network worm with IRC backdoor functionality.

Once installed, W32/Rbot-OX connects to a preconfigured IRC server, joins a channel and awaits further instructions. W32/Rbot-OX is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to the file NetConfs.exe in the Windows system folder.

Once installed, W32/Rbot-OX connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the backdoor to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
close down vulnerable services in order to secure the machine

The worm spreads to machines affected by the RPC DCOM (MS03-026, MS04-012) or LSASS (MS04-011) vulnerabilities.

W32/Rbot-OX creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Configurator = "NetConfs.exe "

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Networks Configurator = "NetConfs.exe "

HKCU\Software\Microsoft\OLE\
Networks Configurator = "NetConfs.exe"

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-OX

Summary

Action

More Information