W32/Rbot-KJ

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Download and install the Microsoft patches mentioned above.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Config Service = "Msloader32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Config Service = "Msloader32.exe"

and delete them if they exist.

Close the registry editor.

W32/Rbot-KJ is a network worm with IRC backdoor functionality.

W32/Rbot-KJ attempts to spread by exploiting the Universal PNP (MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS (MS04-011), DameWare (CAN-2003-1030) or IIS5 SSL (CAN-2003-0719) vulnerabilities.

W32/Rbot-KJ allows a remote attacker to control the infected computer via IRC channels. W32/Rbot-KJ is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to the file Msloader32.exe in the Windows system folder.

Once installed, W32/Rbot-KJ connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, rlogind or command shell server
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
IIS5 SSL (CAN-2003-0719)

Services:

NetBios
NTPass
MS SQL

Backdoors:

Troj/Kuang
Troj/Optix
Troj/NetDevil
W32/Bagle
Troj/Sub7
W32/MyDoom

W32/Rbot-KJ creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Config Service = "Msloader32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Config Service = "Msloader32.exe"

HKCU\Software\Microsoft\OLE
MS Config Service = "Msloader32.exe"

W32/Rbot-KJ searches for product keys for the following software:

Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)