W32/Rbot-NO

Aliases	Backdoor.Win32.Rbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	January 2005 (3.89)
Protection available since	25 October 2004 07:59:59 (GMT)
Last updated	15 November 2004 09:26:40 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-NO is a worm which attempts to spread via remote network shares. The worm contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Rbot-NO also has a backdoor component that allows a malicious intruder a remote access shell to an infected computer.

The worm spreads to network shares with weak passwords using the following security exploits:

- LSASS exploit (MS04-011)
- RPC-DCOM exploit (MS04-012)
- WebDav exploit (MS03-007)

W32/Rbot-NO moves itself to the Windows system folder as a random filename. The worm then creates the following registry entries to run itself on computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WindowsRegistration = <random filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsRegistration = <random filename>

W32/Rbot-NO also sets the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = 1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N

W32/Rbot-NO may attempt to perform the following actions when instructed to do so by a remote attacker:

- login to MS SQL servers and send EXEC commands to open a
command shell
- download and run files from the Internet
- perform port scanning
- enumerate the list of running processes on the computer
and reduce the privileges on these processes
- steal computer system information (computer name, available
memory, drive types)
- log keystrokes
- capture clipboard data
- partake in DoS attacks

The worm may also attempt to steal CD keys from the following games:

Neverwinter Nights
Neverwinter Nights: Hordes of the Underdark
Neverwinter Nights: Shadows of Undrentide
Soldier of Fortune II: Double Helix
Hidden & Dangerous 2
Chrome
NOX
Command and Conquer: Red Alert 2
Command and Conquer: Red Alert
Command and Conquer: Tiberian Sun
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Shogun: Total War: Warlord Edition
Need For Speed: Underground
Need For Speed Hot Pursuit 2
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Global Operations
Command and Conquer: Generals
James Bond 007: Nightfire
Command and Conquer: Generals: Zero Hour
Black and White
Battlefield Vietnam
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: Road To Rome
Battlefield 1942
Freedom Force
IGI 2: Covert Strike
Unreal Tournament 2004
Unreal Tournament 2003
Soldiers Of Anarchy
Legends of Might and Magic
Industry Giant 2
Half-Life
Gunman Chronicles
The Gladiators
Counter-Strike

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-NO

Summary

Action

More Information