W32/Rbot-ALY

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-ALY is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ALY spreads:

- to other network computers infected with: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow
vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav
(MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords

W32/Rbot-ALY runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.

When first run W32/Rbot-ALY copies itself to <System>\<random letters>.exe.

The following registry entries are created to run the worm on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN 9.0 Plus
<random letters>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MSN 9.0 Plus
<random letters>.exe