W32/Rbot-Fam

The name W32/Rbot-Fam is used where a file belongs to a particular family of worms, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Fam variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.
2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

W32/Rbot-Fam is a family of worms which attempt to spread to remote network shares.

The worms also contain backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-Fam worms may attempt to terminate certain processes relating to anti-virus and security programs. W32/Rbot-Fam worms usually spread to network shares with weak passwords, often only spreading as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-Fam worms copy themselves to the Windows system folder and create entries in the registry so as to run itself on system startup. These registry locations are the most commonly affected and are often reset by the worms at regular intervals:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-Fam worms may set the following registry entries, again often resetting them at regular intervals:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N" HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-Fam worms may delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer, again often deleting them at regular intervals.