high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 23 August 2005 07:27:43 (GMT) |
| Last updated | 26 August 2005 20:40:29 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Check the following items
- To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
- The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
More Information
W32/Rbot-ALG is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ALG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039), LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.
W32/Rbot-ALG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALG can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
W32/Rbot-ALG is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ALG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039), LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.
W32/Rbot-ALG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Rbot-ALG copies itself to <System>\qsecue.exe.
The following registry entries are created to run qsecue.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Quantifier Security
qsecue.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Quantifier Security
qsecue.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Quantifier Security
qsecue.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Once installed, W32/Rbot-ALG will attempt to perform the following actions when instructed to do so by a remote attacker:
capture keystrokes
terminate threads and processes
perform port scanning on IP addresses
steal computer system hardware information
copy itself to network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
perform DCC file transfers over IRC channels
act as a HTTP proxy
setup a SOCKS4 server
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALG can be obtained from the Microsoft website:
|
