W32/Rbot-LE

Please follow the instructions for removing worms.

W32/Rbot-LE is a worm which attempts to spread via remote network shares.

W32/Rbot-LE contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

The worm has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.

W32/Rbot-LE spreads to network shares with weak passwords as a result of this backdoor Trojan element receiving the appropriate command from a remote intruder.

The worm moves itself to the Windows system folder as msie.exe and creates the following registry entries to run itself on computer restart or user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Ansti Update
msie.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Ansti Update
msie.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Ansti Update
msie.exe

W32/Rbot-LE also sets the following registry entries:

HKLM\SYSTEM\ControlSet001\Control\Lsa
restrictanonymous = 1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = "N"

W32/Rbot-LE may attempt to:

• steal CD keys
• capture clipboard data
• delete network shares on the host computer
• log keystrokes
• capture images from the computer screen and web camera
• enumerate the list of running processes on the computer and reduce the privileges on these processes
• download and run files from the internet
• transfer files via TFTP on port 69
• steal computer system information (computer name, available memory, drive types etc.)
• perform SYN flood and partake in DoS attacks