W32/Rbot-KA

Aliases	Backdoor.Rbot.gen Exploit-DcomRpc.gen WORM_SDBOT.UO
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	November 2004 (3.87)
Protection available since	18 September 2004 16:26:30 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-KA is an IRC backdoor worm.

W32/Rbot-KA contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-KA copies itself to the Windows system folder as uzpdate2.exe and creates entries in the registry at the following locations to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
zerzvpack2 = uzpdate2.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
zerzvpack2 = uzpdate2.exe

The worm also sets the following registry entry:

HKCU\Software\Microsoft\OLE\
zerzvpack2 = uzpdate2.exe

W32/Rbot-KA may use the RPC-DCOM, LSASS or NTPass exploits.

The worm may attempt to spread via network shares, or through IRC as the result of a backdoor command. The worm may delete network shares.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-KA

Summary

Action

More Information