high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2006 (4.07) |
| Protection available since | 8 June 2006 06:09:30 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-EBE is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-EBE spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself to network shares protected by weak passwords.
W32/Rbot-EBE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-EBE includes functionality to:
- perform DDoS attacks
- access the internet and communicate with a remote server via HTTP
- log keystrokes
- setup a SOCKS4 server
- terminate security and anti-virus related processes
- modify the HOSTS file
When first run W32/Rbot-EBE copies itself to <System>\jxl.exe.
The following registry entries are created to run jxl.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
JXL Radio
jxl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
JXL Radio
jxl.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
JXL Radio
jxl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
JXL Radio
jxl.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
JXL Radio
jxl.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
JXL Radio
jxl.exe
HKCU\Software\Microsoft\OLE
JXL Radio
jxl.exe
HKLM\SOFTWARE\Microsoft\Ole
JXL Radio
jxl.exe
W32/Rbot-EBE also modifies the HOSTS file, appending the following mappings to deny access to security and anti-virus related websites:
0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.zango.com
0.0.0.0 zango.com
|
