high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | December 2004 (3.88) |
| Protection available since | 5 November 2004 09:08:14 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
Check the following items
- To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
- The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
- Check your administrator passwords and review network security.
More Information
W32/Rbot-PA is a network worm with IRC backdoor functionality. W32/Rbot-PA is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies itself to the file sdsa.exe in the Windows system folder.
Once installed, W32/Rbot-PA connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by the RPC DCOM (MS03-026, MS04-012) or LSASS (MS04-011) vulnerabilities and to computers running a MS SQL server protected by weak passwords.
W32/Rbot-PA creates or modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
sads = "sdsa.exe"
HKCU\Software\Microsoft\Ole\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Ole\
EnableDCOM = "N"
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001
|
