W32/Rbot-LS

Please follow the instructions for removing worms.

W32/Rbot-LS is a worm which attempts to spread via remote network shares. The worm contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-LS has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.

The worm spreads to network shares with weak passwords and by using the following exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS03-039)

The worm moves itself to the Windows system folder as jutsu.exe. W32/Rbot-LS then creates the following registry entries to run itself on computer restart or user logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
jutsu = jutsu.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
jutsu = jutsu.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
jutsu = jutsu.exe

W32/Rbot-LS also sets the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N

W32/Rbot-LS may attempt to :

- capture clipboard data
- delete network shares on the host computer
- enumerate the list of running processes on the computer
and reduce the privileges on these processes
- download and run files from the Internet
- steal computer system information (computer name, available memory,
drive types etc.)
- partake in DoS attacks

Sophos Anti-Virus version 3.85 and above detects this worm as W32/Rbot-Fam
without requiring an update.