high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 2 December 2005 16:29:36 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-BAF is a worm with backdoor functionality for the Windows platform.
W32/Rbot-BAF spreads:
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-BAF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-BAF attempts to terminate certain processes related to anti-virus and security programs.
W32/Rbot-BAF attempts to modify the HOSTS file, preventing access to certain websites. W32/Rbot-BAF is a worm with backdoor functionality for the Windows platform.
W32/Rbot-BAF spreads:
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007)
- to other network computers running MSSQL servers protected by weak passwords
- by copying itself to network shares protected by weak passwords
W32/Rbot-BAF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Rbot-BAF copies itself to <Windows system folder>\winscure.exe.
The following registry entries are created to run winscure.exe on startup, and are reset every 4 seconds:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Security
winscure.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Security
winscure.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Security
winscure.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Security
winscure.exe
Registry entries are set as follows, and reset every 4 seconds:
HKLM\SOFTWARE\Microsoft\OLE
Windows Security
winscure.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Security
winscure.exe
HKCU\Software\Microsoft\OLE
Windows Security
winscure.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Security
winscure.exe
W32/Rbot-BAF attempts to terminate certain processes related to anti-virus and security programs.
W32/Rbot-BAF attempts to modify the HOSTS file by appending the following lines, preventing access to the websites specified:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 pandasoftware.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 virustotal.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.virustotal.com
|
