W32/Rbot-QI

Please follow the instructions for removing worms.

W32/Rbot-QI is a network worm with IRC backdoor functionality.

The worm copies itself to the file wuacrlt.exe in the Windows system folder.

W32/Rbot-QI connects to a preconfigured IRC server and waits in a specific channel for further instructions. These instructions can cause the worm to:

scan other computers for exploitable vulnerabilities
start an FTP or web server offering the contents of the local drives
transfer files via DCC or HTTP
search for filenames on any local drives
list or terminate current services, processes and threads
perform a SYN, PING, UDP, TCP or ICMP flood
secure the infected machine against further attacks
run a SOCKS4 proxy server
redirect TCP connections
run an identd server
connect to another IRC server/channel
execute arbitrary commands
start a command-shell server
send emails
capture images from the screen or any attached webcam devices

The worm attempts to spread via network shares with weak passwords and the following unpatched vulnerabilities:

RPC/DCOM (MS04-012)
LSASS (MS04-011)
IIS5SSL (MS04-011)

W32/Rbot-QI creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = "wuacrlt.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
*windows update = "wuacrlt.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
*windows update = "wuacrlt.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = "wuacrlt.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
*windows update = "wuacrlt.exe"