Sophos

W32/Rbot-QE

Aliases
  • Backdoor.Win32.Rbot.gen
  • W32/Sdbot.worm.gen.p
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from January 2005 (3.89)
Protection available since 19 November 2004 06:07:47 (GMT)
Detected by All Sophos products

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

W32/Rbot-QE is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.

W32/Rbot-QE spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011). W32/Rbot-QE is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.

W32/Rbot-QE spreads to network shares with weak passwords and by using the LSASS security exploit (MS04-011).

When run the worm moves itself to the Windows System folder as a read-only, hidden and system file named XPUpdate.exe.

W32/Rbot-QE then creates the following registry entries so as to run itself either on user logon or computer restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Update
XPUpdate.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update
XPUpdate.exe

Once installed, W32/Rbot-QE will attempt to log keystrokes, partake in distributed denial of service (DDoS) attacks, download and run files from the Internet, steal CD keys, login to MS SQL servers and send EXEC commands to open a command shell on the server when instructed to do so by a remote attacker.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer