W32/Rbot-CLO

Please follow the instructions for removing worms.

W32/Rbot-CLO is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including: Veritas (CAN-2004-1172) and ASN.1 (MS04-007)

W32/Rbot-CLO attempts to disable anti-virus and other security related software. W32/Rbot-CLO is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including: Veritas (CAN-2004-1172) and ASN.1 (MS04-007)

W32/Rbot-CLO attempts to disable anti-virus and other security related software.

W32/Rbot-CLO can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-CLO can be instructed by a remote user to perform the following functions:

- start an FTP server
- start a Proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steal product registration information from certain software

The worm copies itself to a file named b4db0yz.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
System Service
b4db0yz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
b4db0yz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
b4db0yz.exe

A patch for the operating system vulnerability exploited by W32/Rbot-CLO can be obtained from Microsoft at: MS04-007