W32/Rbot-GWC

Aliases	Win32/Rbot trojan W32/Sdbot.worm.gen.as
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	April 2008 (4.28)
Protection available since	14 February 2008 14:58:41 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-GWC is a worm for the Windows platform.

W32/Rbot-GWC includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Rbot-GWC copies itself to <System>\inetsrv\sdhost.exe.

The following registry entries are created to run sdhost.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Server Daemon Host Manager
<System>\inetsrv\sdhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Server Daemon Host Manager
<System>\inetsrv\sdhost.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Server Daemon Host Manager
<System>\inetsrv\sdhost.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\inetsrv\sdhost.exe
<System>\inetsrv\sdhost.exe:*:Enabled:Server Daemon Host Manager

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files1
avgupsvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files2
avgamsvr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files3
avgcc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files4
nod32kui.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files5
nod32krn.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files6
ccSetMgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files7
ccEvtMgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files8
DefWatch.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files9
SavRoam.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files10
Rtvscan.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files11
VPTray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files12
ccApp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files13
AluSchedulerSvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files14
nod32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files15
nod32ra.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files16
UpdaterUI.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files17
tbmon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files18
Mcshield.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files19
SHSTAT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files20
ashMaiSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files21
ashServ.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files22
ashWebSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files23
aswUpdSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files24
AVGUARD.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files25
AVWUPSRV.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files26
avscan.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files27
guardgui.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files28
VxMon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files29
AVGNT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files30
avgemc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files31
avp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files32
avp.com

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-GWC

Summary

Action

More Information