W32/Rbot-DZ

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Java Windows Update = <filename>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Java Windows Update = <filename>

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Java Windows Update = <filename>

and delete it if it exists.

Close the registry editor.

Check your administrator passwords and review network security.

W32/Rbot-DZ is a worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to a randomly-named file in the Windows system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Java Windows Update = <filename>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Java Windows Update = <filename>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Java Windows Update = <filename>

Once installed, W32/Rbot-DZ connects to a preconfigured IRC server and channel to await further commands. These commands allow an attacker to perform any of the following actions

• send/receive files by DCC
• start a tftp, http, rlogin, ident or socks4 proxy server
• download/upload files by HTTP or FTP
• scan other machines in order to infect them
• secure the infected system against similar attacks
• network packet sniffing
• list and/or kill currently running processes, threads and/or services
• log keyboard events
• take screenshots
• search for cd keys, passwords
• list/flush the ARP and DNS caches
• start a remote shell
• execute arbitrary shell commands
• flood another machine with ICMP,SYN,PING,raw IP,UDP or TCP packets
• reboot the machine
• TCP redirection
• send email via SMTP

The worm spreads by scanning many IP addresses (generated either randomly or sequentially) for known vulnerabilities, backdoors installed by other malware or network shares/services protected by weak passwords.