W32/Rbot-GDD

Aliases	Backdoor.Win32.IRCBot.wt
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	May 2007 (4.17)
Protection available since	3 February 2007 13:59:11 (GMT)
Last updated	8 March 2007 23:08:37 (GMT)
Detected by	All Sophos products

W32/Rbot-GDD is a network worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-GDD spreads by exploiting common network vulnerabilities.

W32/Rbot-GDD allows a remote attacker to gain access and control over the infected computer using IRC channels.

When first run W32/Rbot-GDD copies itself to <System>\algose32.exe and creates the following registry entries to run algose32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Offices Monitorse
<System>\algose32.exe

W32/Rbot-GDD sets the following registry entries in order to secure the infected computer against further exploits:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1

Get reports about the latest virus and spyware threats delivered to your computer