W32/Rbot-PI

Please follow the instructions for removing worms.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-PI (detected as W32/Rbot-Fam) since version 3.88

W32/Rbot-PI is an IRC backdoor Trojan and network worm.

W32/Rbot-PI may spread to remote network shares and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.

W32/Rbot-PI copies itself to the Windows system folder and creates the following registry entries to run automatically on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "svhost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "svhost.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "svhost.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "svhost.exe"

W32/Rbot-PI also attempts to set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = 1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = 1

HKCU\Software\Microsoft\OLE\
Microsoft Update = "svhost.exe"

HKLM\SYSTEM\ControlSet001\Control\Lsa\
Microsoft Update = "svhost.exe"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
Microsoft Update = "svhost.exe"

HKLM\SOFTWARE\Microsoft\Ole\
Microsoft Update = "svhost.exe"

W32/Rbot-PI can receive commands from a remote attacker to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, terminate anti-virus and firewall processes, block access to anti-virus websites, create local administrator accounts and capture video from webcameras attached to the computer.