W32/Rbot-FWP

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Included in our products from	July 2007 (4.19)
Protection available since	24 November 2006 00:12:12 (GMT)
Last updated	30 May 2007 14:16:14 (GMT)
Detected by	All Sophos products

W32/Rbot-FWP is a network worm and IRC backdoor for the Windows platform.

W32/Rbot-FWP spreads to other network computers by exploiting common buffer overflow vulnerabilities and by copying itself to network shares.

When first run W32/Rbot-FWP copies itself to <System>\0x32.exe and creates the file \a.bat.

The file a.bat is detected as Troj/Batten-A.

The worm creates the following registry entries in order to be run automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Numerical Xterm Agent
0x32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Numerical Xterm Agent
0x32.exe

Get reports about the latest virus and spyware threats delivered to your computer