high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 22 December 2004 16:52:53 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-SG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-SG moves itself to the Windows system folder as Explorer.exe and creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Automatic Updater
Explorer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Automatic Updater
Explorer.exe
W32/Rbot-SG will also create the following registry entry:
HKCU\Software\Microsoft\OLE
Microsoft Automatic Updater
Explorer.exe
W32/Rbot-SG spreads to network shares with weak passwords and via exploiting vulnerabilities including the RPC-DCOM(MS04-012) and LSASS(MS04-011) vulnerabilities.
W32/Rbot-SG can also download and execute remote files on the infected computer, log key strokes, retrieve information such as CD keys for various games and flood other computers with network packets.
|
