high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 5 January 2005 13:02:01 (GMT) |
| Last updated | 22 September 2005 07:53:18 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Rbot-SQ.
More Information
W32/Rbot-SQ is a member of the W32/Rbot-Fam family of worms for the
Windows platform with backdoor functionality.
W32/Rbot-SQ targets weakly protected network shares and machines unpatched against known vulnerabilities.
The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.
W32/Rbot-SQ is a member of the W32/Rbot-Fam family of worms for the
Windows platform with backdoor functionality.
W32/Rbot-SQ targets weakly protected network shares and machines unpatched against known vulnerabilities.
The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.
When first executed, W32/Rbot-SQ copies itself to the Windows system folder with the filename mcafeee.exe and in order to be able to run automatically when Windows starts up creates the registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = "mcafeee.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = "mcafeee.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = "mcafeee.exe"
W32/Rbot-SQ also modifies the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = dword:00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = dword:00000001
W32/Rbot-SQ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC and LSASS) and using backdoors opened by other worms or Trojans.
W32/Rbot-SQ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-SQ can be used to:
start a proxy server
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)
Patches for the operating system vulnerabilities exploited by W32/Rbot-SQ can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
|
