W32/Rbot-GRE

Please follow the instructions for removing worms.

W32/Rbot-GRE is a worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-GRE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-GRE spreads to other network computers:

- by exploiting common buffer over flow vulnerabilities, including: SRVSVC (MS06-040), WKS (MS03-049) (CAN-2003-0812), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039), ASN.1 (MS04-007), Realcast, RealVNC (CVE-2006-2369) and Symantec (SYM06-010)

- by networks protected by weak passwords

When first run W32/Rbot-GRE copies itself to <System>\IEexplore32.exe.

The following registry entry is set to run W32/Rbot-GRE on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
IEexplorer AUpdate
IEexplore32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IEexplorer AUpdate
IEexplore32.exe

W32/Rbot-GRE includes functionality to:

- download code from the internet
- perform port scanning
- perform DDoS attacks
- setup a SOCKS4 proxy server

The following registry entries are also set:

HKCU\Software\Microsoft\OLE
IEexplorer AUpdate
IEexplore32.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableRemoteConnect
N

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0

HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

Registry entries may also be made under:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\