W32/Rbot-EQ

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-EQ is a member of the W32/Rbot family of worms with backdoor
capabilities. The worm has the ability to spread via network shares with weak passwords.

In order to run automatically when Windows starts up the worm copies itself as suchost.exe in the Windows system folder and adds the following registry entries to ensure the worm is run during windows logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Automatic Microsoft Windows Updater = SUCHOST.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Automatic Microsoft Windows Updater = SUCHOST.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Automatic Microsoft Windows Updater = SUCHOST.EXE

When run the worm attempts to connect to a remote IRC server. This connection is used as a control channel that allows a malicious user access to the infected computer.