W32/Rbot-PC

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor component that spread on weakly protected network shares on the Windows platform.

The worm spreads as a result of receiving the appropriate command by scanning random IP addresses for open SMB ports (445) and trying to copy itself to the Windows system folder on the remote Admin$ and C$ shares.

W32/Rbot-PC uses an internal dictionary of common passwords to gain access. The worm attempts to schedule the copied file for later execution on the remote machine.

In addition the worm also has the ability to scan for and exploit common vulnerabilities on the Windows platform such as the LSASS vulnerability (MS04-012) as well as ports opened by other worms such as W32/Bagle or W32/MyDoom.

W32/Rbot-PC also has a backdoor component that allows a malicious user remote access to an infected computer.

When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands. W32/Rbot-PC is a member of the W32/Rbot family of worms with a backdoor component that spreads using weakly protected network shares on the Windows platform.

The worm spreads as a result of receiving the appropriate command by scanning Random IP addresses for open SMB ports (445) and trying to copy itself to the Windows system folder on the remote Admin$ and C$ shares.

W32/Rbot-PC uses an internal dictionary of common passwords to gain access. The worm attempts to schedule the copied file for later execution on the remote machine.

In addition the worm also has the ability to scan for and exploit common vulnerabilities on the Windows platform such as the LSASS vulnerability (MS04-012) as well as ports opened by other worms such as W32/Bagle or W32/MyDoom.

W32/Rbot-PC also has a backdoor component that allows a malicious user remote access to an infected computer.

When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands.

Besides the spreading functionality members of the W32/Rbot family also allow a remote user to set up a proxy server, start a HTTP server on a user specified port, collect system information, add or delete shares and users, kill processes, download and execute files, send email, remotely control a connected web cam, sniff network traffic, log keystrokes, steal keys for certain games or launch various denial-of-service attacks against an attacker-specified target.

In order to run automatically when Windows starts up W32/Rbot-PC copies itself to the file csrse.exe in the Windows system folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Registry
csrse.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Registry
csrse.exe.