high
Summary
Summary
Action- More Information
| Included in our products from | September 2004 (3.85) |
|---|---|
| Protection available since | 26 July 2004 13:30:09 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Download and install the Microsoft patches mentioned above.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Rbot-EL is a network worm and backdoor for the Windows platform. W32/Rbot-EL allows a malicious user remote access to an infected computer via IRC.
In order to run automatically when Windows starts up W32/Rbot-EL copies itself to the Windows system folder as fat32.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Fat32 Microsoft = fat32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Fat32 Microsoft = fat32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Fat32 Microsoft = fat32.exe
W32/Rbot-EL terminates the following processes if they exist:
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
wincfg32.exetaskmon.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
msconfig.exe
regedit.exe
W32/Rbot-EL spreads by exploiting network shares and Microsoft SQL servers with weak passwords, Windows operating system vulnerabilities and backdoors opened by other worms and Trojans.
Patches for the operating system vulnerabilities exploited by W32/Rbot-EL can be obtained from Microsoft at:
MS04-011
MS03-026
MS03-007
MS01-059
|
