W32/Rbot-FMO

Aliases	Backdoor.Win32.Rbot.aus
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	October 2006 (4.10)
Protection available since	6 September 2006 13:07:00 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMO runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS (MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

The following patches for the operating system vulnerabilities exploited by the
worm can be obtained from the Microsoft website:

MS03-049

MS02-039

MS06-040 W32/Rbot-FMO is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-FMO runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

W32/Rbot-FMO spreads
- to computers vulnerable to common exploits, including: WKS (MS03-049), MSSQL
(MS02-039), SRVSVC (MS06-040) and Realcast
- to network shares protected by weak passwords

When first run W32/Rbot-FMO copies itself to <System>\WinIp32.exe.

The following registry entries are created to run WinIp32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Sound Verifier
WinIp32.exe

W32/Rbot-FMO sets the following registry entries, disabling the automatic
startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft
Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Windows Sound Verifier
WinIp32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKCR\.key\