W32/Rbot-UN

Please follow the instructions for removing worms.

W32/Rbot-UN is a network worm with IRC backdoor functionality.

The worm copies itself to the Windows system folder and creates the following registry entries in order to be run automatically at login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NAV Auto Updates =
navupdaters.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NAV Auto Updates =
navupdaters.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NAV Auto Updates =
navupdaters.exe

W32/Rbot-UN connects to a preconfigured IRC server and joins a channel in which it awaits further commands. These commands can cause the worm to perform any of the following actions:

scan other machines for exploitable vulnerabilities
secure the machine against further exploits
start a TFTP, HTTP, RLOGIN, SOCKS4 proxy or IDENTD server
access the contents of the clipboard
list or terminate processes and threads
transfer files by DCC, FTP or HTTP
capture images from the screen or any available webcam devices
execute arbitrary commands
perform DNS lookups
flood a specified host with network traffic
send emails
log keypresses
sniff network packets for passwords
search for product keys for popular games
listen for commands in another channel/server

The worm modifies the following registry entries in order to protect the computer from further attacks:

HKLM\Software\Microsoft\Ole\
EnableDCOM
N

HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous
1

W32/Rbot-UN attempts to spread via network services protected by weak passwords and unpatched vulnerabilities.

RPC/DCOM (MS03-026, MS03-039)
LSASS (MS04-011)

Network services:

MS SQL