Sophos

W32/Rbot-BFL

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from February 2006 (4.02)
Protection available since 22 December 2005 07:07:52 (GMT)
Detected by All Sophos products

Action

More Information

W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BFL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.

W32/Rbot-BFL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-BFL includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software

The following patches for the operating system vulnerabilities exploited by W32/Rbot-BFL can be obtained from the Microsoft website:

MS04-011
MS04-012 W32/Rbot-BFL is an internet worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-BFL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying itself to network shares protected by weak passwords.

W32/Rbot-BFL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-BFL includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software

When first run W32/Rbot-BFL moves itself to <System>\BIOSserv.exe.

The following registry entries are created to run BIOSserv.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BIOS Net Service
BIOSserv.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
BIOS Net Service
BIOSserv.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The following patches for the operating system vulnerabilities exploited by W32/Rbot-BFL can be obtained from the Microsoft website:

MS04-011
MS04-012

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer