W32/Rbot-IV

Aliases	W32/Sdbot.worm.gen.w
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Included in our products from	October 2004 (3.86)
Protection available since	9 September 2004 11:04:27 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-IV is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to the file NAV.exe in the Windows system folder.

Once installed, W32/Rbot-IV connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
start a rlogind, identd or command shell server
redirect TCP connections
start a TFTP server
search for product keys
download and install an updated version of itself
show statistics about the infected system
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
examine network traffic for passwords
close down vulnerable services in order to secure the machine
take screenshots
capture images from any detected webcam
show/flush the DNS cache
list/modify network shares/services
send email
shutdown/reboot the infected machine

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
IIS5 SSL (CAN-2003-0702)
DameWare (CAN-2003-1030)

Services:

NetBios
NTPass
MS SQL

Backdoors:

W32/Bagle
Troj/Kuang
W32/MyDoom
Troj/NetDevil
Troj/Optix
Troj/Sub7

W32/Rbot-IV creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "NAV.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "NAV.exe"

HKCU\Software\Microsoft\OLE\
Microsoft Update = "NAV.exe"

W32/Rbot-IV searches for product keys for the following software:

Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)

Sophos anti-virus products since version 3.85 have been capable of detecting this wormas W32/Rbot-Fam without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-IV

Summary

Action

More Information