W32/Rbot-ECP

Aliases	Backdoor.Win32.IRCBot.dd
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	August 2006 (4.08)
Protection available since	9 June 2006 06:31:22 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-ECP is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-ECP spreads by exploiting weak passwords on network shares.

The worm copies itself to a file named p2pnetworking.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
p2p networking
"p2pnetworking.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
p2p networking
"p2pnetworking.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
p2p networking
"p2pnetworking.exe"

The worm may also install a file named vbzip10.dll in the Windows system folder. Vbzip10.dll is harmless and may be safely removed.

W32/Rbot-ECP spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting operating system vulnerabilities
-using backdoors opened by other worms or Trojans.

W32/Rbot-ECP can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-ECP can be instructed by a remote user to perform the following functions:

upload files to an FTP server
download/execute arbitrary files

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-ECP

Summary

Action

More Information