high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 22 December 2004 16:52:53 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-SC is a worm which attempts to spread to remote network shares. The worm also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected system via IRC channels while running in the background as a service process.
W32/Rbot-SC spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-SC copies itself to the Windows system folder as DECOM.EXE and creates the following registry entries in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
what ever
decom.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
what ever
decom.exe
W32/Rbot-SC may attempt to set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Rbot-SC may attempt to delete network shares on the host system.
W32/Rbot-SC may attempt to log keystrokes to the file KEY.TXT in the Windows system folder.
Other backdoor functionality may include the worm sending itself to other users via IRC, providing a command shell to a remote user and stealing registration keys for software.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-SC (detected as W32/Rbot-Fam) since version 3.84.
|
