W32/Rbot-LY

Please follow the instructions for removing worms.

Download and install the Microsoft patches mentioned above.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

Check the following items

• To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
• The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
• Check your administrator passwords and review network security.

W32/Rbot-LY is a network worm and backdoor Trojan for the Windows platform.

W32/Rbot-LY allows a malicious user remote access to an infected computer. W32/Rbot-LY is a network worm and backdoor Trojan for the Windows platform.

W32/Rbot-LY allows a malicious user remote access to an infected computer.

The worm copies itself to a file named ntfs16.exe in the Windows system folder and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NTFS16 = ntfs16.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NTFS16 = ntfs16.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NTFS16 = ntfs16.exe

The following registry entries are also modified:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

W32/Rbot-LY spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-LY can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-LY can be used to:

start a proxy server
create screen/webcam captures
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)
send email

Patches for the operating system vulnerabilities exploited by W32/Rbot-LK can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx