W32/Rbot-OC

Aliases	Backdoor.Win32.Rbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	December 2004 (3.88)
Protection available since	27 October 2004 11:19:02 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-OC is a network worm which attempts to spread via network shares. The worm contains backdoor Trojan functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.

When run W32/Rbot-OC moves itself to the Windows System folder as a read-only, hidden, system file named asus.exe.

The worm then creates the following registry entries so as to run itself either on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
asus = asus.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
asus = asus.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
asus = asus.exe

W32/Rbot-OC will also set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM = N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = dword:00000001

Once installed, W32/Rbot-OC will attempt to perform the following actions when instructed to do so by a remote attacker:

- setup a HTTP proxy
- delete network shares
- download and run files from the Internet
- login to MS SQL servers and send EXEC commands to open a
command shell on the server
- perform port scanning
- scan IP addresses
- terminate processes
- steal computer system information (computer name, available
memory, drive types)
- capture clipboard data
- partake in SYN flooding using a variety of attacks
comprising TCP/IP, UDP, Ping and ICMP commands

The worm will also log keystrokes and store the captured information into the file <Windows system folder>\msreg.dll

W32/Rbot-OC will also steal CD keys from the following games:

Battlefield: Vietnam
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: Road To Rome
Black and White
Call of Duty
Chrome
Command and Conquer: Red Alert 2
Command and Conquer: Red Alert
Command and Conquer: Tiberian Sun
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Counter-Strike
FarCry
FIFA 2003
FIFA 2002
Freedom Force
Global Operations
Ground Control II
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Joint Operations: Typhoon Rising
Legends of Might and Magic
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Nascar Racing 2003
Nascar Racing 2002
Need For Speed: Underground
Need For Speed: Hot Pursuit 2
Neverwinter Nights
Neverwinter Nights: Hordes of the Underdark
Neverwinter Nights: Shadows of Undrentide
NHL 2003
NHL 2002
NOX
Rainbow Six III : RavenShield
Shogun: Total War: Warlord Edition
Soldier of Fortune II: Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2004
Unreal Tournament 2003

Sophos Anti-Virus version 3.87 detects this worm as W32/Rbot-Fam without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-OC

Summary

Action

More Information