W32/Rbot-RY

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	February 2005 (3.90)
Protection available since	20 December 2004 22:04:18 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-RY is a Windows network worm that spreads to weakly protected network shares and computers vulnerable to the RPC-DCOM exploit (see Microsoft Security Bulletin MS04-012).

W32/Rbot-RY has an IRC backdoor which connects to a preconfigured IRC server and joins a channel allowing a remote user access to the infected computer.

The worm can steal product keys, can be used in denial-of-service and distributed-denial-of-service attacks, upload and download files, and run specified programs. W32/Rbot-RY is a Windows network worm with an IRC backdoor.

The worm can spread to ADMIN$ and C$ network shares with weak usernames and passwords. The worm will also attempt to spread to computers vulnerable to the DCOM exploit (see Microsoft Security Bulletin MS04-012).

In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as msngf.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Start
servic.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal Firewall Start
servic.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall Start
servic.exe

Once installed, W32/Rbot-RY connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:

Initiate distributed denial-of-service (DDOS) attacks
Flood a remote host (by either ping or HTTP)
Start a SOCKS4 proxy server
Port scan for vulnerabilities on other remote computers
Execute arbitrary commands
Steal product keys
Upload and download files
Send emails as specified by the remote user
Shut down and reboot the computer
Delete network shares
Log any keystrokes made on the infected computer
Stop a runnning service
Flush the DNS and ARP caches
Capture images of the desktop and from a webcam (if connected)

The worm may also commanded to attempt to disable DCOM by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
N

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-RY

Summary

Action

More Information