W32/Rbot-UZ

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-UZ is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-UZ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-UZ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-UZ can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

W32/Rbot-UZ may also copy itself to the folders associated with peer to peer programs so that it might be spread through these programs. The names that might be used in these folders are:

ACDSee 9
Adobe Photoshop 9 full
Ahead Nero 7
AVG Virus cleaner v7
Hack your friends computer
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles
McAfee Keygen
Microsoft Office 2003 Crack, Working!
Microsoft Office XP working Crack, Keygen
Microsoft Windows XP, WinXP Crack, working Keygen
MS04-011 Immunizer
Norton Crack
Norton Update
Opera 8 New!
Porno pics arhive, xxx.zip
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!
Virus Creater
WinAmp 5 Pro Keygen Crack Update
winamp 5.7 new!
WinAmp 6 New!
Windown Longhorn Beta Leak
Windows-KB835732-x86-ENU
Windows Serial Keygen.txt
Windows Sourcecode update.doc
WinXP Hack
XXX hardcore images

W32/Rbot-UZ may attempt to kill off various anti-virus and security related processes.

The worm copies itself to a file named LPC.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Local Procedure Call Mapper
LPC.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Local Procedure Call Mapper
LPC.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Local Procedure Call Mapper
LPC.exe

Patches for the operating system vulnerabilities exploited by W32/Rbot-UZ can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx