high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | November 2004 (3.87) |
| Protection available since | 17 September 2004 09:45:41 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-JZ is a network worm and backdoor for the Windows platform.
The worm spreads by copying itself to network shares with weak passwords and exploiting the Lsass vulnerability (MS04-011).
The backdoor component connects to a predefined IRC server and waits for instructions from a remote attacker.
When run the worm copies itself to msnmsgr.exe in the Windows system folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"
HKLM\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"
HKLM\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Msn Messengers = "msnmsgr.exe"
HKCU\System\CurrentControlSet\Control\Lsa\
Msn Messengers = "msnmsgr.exe"
HKCU\Software\Microsoft\Ole\
Msn Messengers = "msnmsgr.exe"
The worm attemps to disable several other worms and some security related processes.
The backdoor component allows a remote attacker to :
transfer files to and from the infected computer
log user keystrokes
sniff network packets
capture video
launch distributed denial of service attacks
steal game related CD keys
|
