W32/Rbot-MT

Aliases	Backdoor.Win32.Rbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2004 (3.88)
Protection available since	13 October 2004 11:10:11 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-MT is a worm which attempts to spread via remote network shares. The worm contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-MT has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.

The worm spreads to network shares with weak passwords and by using the following exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)

The worm copies itself to the Windows system folder as windll.exe. W32/Rbot-MT then creates the following registry entries to run itself on computer restart or user logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Dll Management = windll.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Dll Management = windll.exe

W32/Rbot-MT also sets the following registry entries:

HKCU\Software\Microsoft\OLE
Microsoft Dll Management = windll.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N

W32/Rbot-MT may attempt to perform the following actions when instructed to do so by a remote attacker:

- login to MS SQL servers and send EXEC commands to open a
command shell
- enumerate the list of running processes on the computer
and reduce the privileges on these processes
- download and run files from the Internet
- logs keystrokes
- steal computer system information (computer name, available memory,
drive types etc.)
- capture clipboard data and screen shots
- partake in DoS attacks

The worm will attempt to steal CD keys from the following games:-

Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights
Soldier of Fortune II - Double Helix
Hidden & Dangerous 2
Chrome
NOX
Command and Conquer: Red Alert 2
Command and Conquer: Red Alert
Command and Conquer: Tiberian Sun
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Shogun: Total War: Warlord Edition
Need For Speed: Underground
Need For Speed Hot Pursuit 2
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Global Operations
Command and Conquer: Generals
James Bond 007: Nightfire
Command and Conquer: Generals (Zero Hour)
Black and White
Battlefield Vietnam
Battlefield 1942 (Secret Weapons of WWII)
Battlefield 1942 (Road To Rome)
Battlefield 1942
Freedom Force
IGI 2: Covert Strike
Unreal Tournament 2004
Unreal Tournament 2003
Soldiers Of Anarchy
Legends of Might and Magic
Industry Giant 2
Half-Life
Gunman Chronicles
The Gladiators
Counter-Strike

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-MT

Summary

Action

More Information