Sophos

W32/Rbot-QY

Aliases
  • Backdoor.Win32.Rbot.gen
  • W32/Sdbot.worm.gen.y
  • WORM_SPYBOT.HP
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 1 December 2004 09:08:53 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Rbot-QY is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.

The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011), RPC-DCOM security exploit (MS03-039) and the WebDav security exploit (MS03-007).

When run W32/Rbot-QY moves itself to the Windows System folder as a hidden, read-only, system file named msdev.exe.

The worm then creates the following registry entries to run itself on computer logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Startup
msdev.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal Firewall Startup
msdev.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Startup
msdev.exe

Once installed, W32/Rbot-QY will attempt to partake in distributed denial-of-service (DDoS) attacks, download and run files from the internet, steal CD keys, log keystrokes and create a SOCKS4 server when instructed to do so by a remote attacker.

The worm may also try to exploit backdoors and vulnerabilites used by the MyDoom family of worms.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer