W32/Rbot-AKV

Please follow the instructions for removing worms.

W32/Rbot-AKV is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AKV spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: PnP (MS05-039), RPC-DCOM (MS04-012).

W32/Rbot-AKV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AKV includes functionality to:

- carry out DDoS flooder attacks
- access the internet and communicate with a remote server via HTTP
- steal confidential information
- perform port scanning

When first run W32/Rbot-AKV moves itself to <System>\cmmon.pif.

The following registry entries are created to run the worm on startup:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Connection Manager Monitor
cmmon.pif

HKCU\Software\Microsoft\OLE
Microsoft Connection Manager Monitor
cmmon.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Connection Manager Monitor
cmmon.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Connection Manager Monitor
cmmon.pif

HKLM\SOFTWARE\Microsoft\Ole
Microsoft Connection Manager Monitor
cmmon.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Connection Manager Monitor
cmmon.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Connection Manager Monitor
cmmon.pif

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Connection Manager Monitor
cmmon.pif

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AKV can be obtained from the Microsoft website:

MS05-039
MS04-012