high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 15 December 2004 08:47:24 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-RO is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011), RPC-DCOM security exploit (MS03-039) and the WebDav security exploit (MS03-007).
When run W32/Rbot-RO moves itself to the Windows System folder as a hidden, read-only, system file named iexplore.exe.
The worm then creates the following registry entries so as to run itself on computer logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
IEXPLORE
iexplore.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IEXPLORE
iexplore.exe
W32/Rbot-RO also creates the following registry entry:
HKCU\Software\Microsoft\OLE
IEXPLORE
iexplore.exe
Once installed, W32/Rbot-RO will attempt to participate in distributed denial of service (DDoS) attacks, download and run files from the internet, steal CD keys, log keystrokes and create an HTTPD server when instructed to do so by a remote attacker.
The worm tries to terminate and disable various anti-virus and security related programs and also attempts to exploit backdoors and vulnerabilites used by the MyDoom family of worms.
|
