high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 22 November 2004 19:44:55 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Rbot-QH.
More Information
W32/Rbot-QH is an IRC backdoor Trojan and network worm.
W32/Rbot-QH may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-QH copies itself to the Windows system folder and creates the following registry entries to run automatically on log-on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Excell = "wuamngr32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Excell = "wuamngr32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Excell = "wuamngr32.exe"
In addition, W32/Rbot-QH may set the following entries if they are not already set:
HKLM\Software\Microsoft\Ole\
EnableDCOM = "N"
HKLM\System\ControlSet<number>\Control\Lsa\
restrictanonymous = 1
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = 1
W32/Rbot-QH can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, terminate firewall and anti-virus applications and capture video from webcameras attached to the computer.
|
