W32/Rbot-AHB

Aliases	Trojan.Win32.Crypt.d W32/Sdbot.worm.gen.l
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	August 2005 (3.96)
Protection available since	5 July 2005 21:18:29 (GMT)
Detected by	All Sophos products

W32/Rbot-AHB is a network worm with backdoor functionality for the Windows platform.

When first run W32/Rbot-AHB copies itself to <Windows system folder>\vmware.exe.

The following registry entries are created to run vmware.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Workstation Ver 5.0
vmware.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Workstation Ver 5.0
vmware.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Workstation Ver 5.0
vmware.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Get reports about the latest virus and spyware threats delivered to your computer