W32/Rbot-X

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AUT Update = MSlti32.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Microsoft AUT Update = MSlti32.exe

and delete it if it exists.

Close the registry editor.

W32/Rbot-X is an IRC backdoor Trojan and network worm.

When first run W32/Rbot-X copies itself to the Windows system folder as MSlti32.exe and creates the following registry entries to run MSlti32.exe automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft AUT Update = MSlti32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft AUT Update = MSlti32.exe

Each time W32/Rbot-X is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs continuously in the background listening on the channel for instructions.

W32/Rbot-X attempts to logon to network shares protected by weak passwords
by brute force using a list of common passwords and then copies itself to the Windows system folder of the remote computer.