high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 10 November 2004 13:37:11 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-PL is an IRC backdoor Trojan and network worm.
W32/Rbot-PL may spread to remote network shares and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process.
W32/Rbot-PL copies itself to the Windows system folder and creates the following registry entries to run automatically on log-on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Update Monitoring Service = "winupdt.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Update Monitoring Service = "winupdt.exe"
W32/Rbot-PL also attempts to set the following registry entries:
HKCU\Software\Microsoft\OLE\
Windows Update Monitoring Service = "winupdt.exe"
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"
HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = 1
W32/Rbot-PL can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, terminate anti-virus and firewall processes, block access to anti-virus websites, create local administrator
accounts and capture video from webcameras attached to the computer.
|
