high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 December 2004 10:32:41 (GMT) |
| Last updated | 17 October 2005 20:01:13 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-RZ is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorized remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
When run W32/Rbot-RZ moves itself to the Windows System folder as a hidden, read-only, system file named msnmsgr16.exe.
The worm then creates the following registry entries to run itself on computer logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MSN service
msnmsgr16.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
MSN service
msnmsgr16.exe
W32/Rbot-RZ also creates the following registry entry:
HKCU\Software\Microsoft\OLE
MSN service
msnmsgr16.exe
Once installed, W32/Rbot-RZ will attempt to perform the following actions when instructed to do so by a remote attacker:
- participate in distributed denial-of-service (DDoS) attacks
- download and run files from the internet
- steal CD game keys
- log keystrokes
- capture clipboard data
- create an HTTPD server
- create a SOCKS4 server
- perform DCC file transfers over IRC channels
- capture screen displays and images from web cameras
- login to SQL servers and send EXEC commands to open a command shell on the server
|
