high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2005 (3.90) |
| Protection available since | 22 December 2004 11:07:20 (GMT) |
| Last updated | 23 December 2004 00:13:17 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-SF is a network worm and backdoor Trojan for the Windows platform. W32/Rbot-SF allows a malicious user remote access to an infected computer.
The worm copies itself to a file named wruauclt.exe in the Windows system folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*windows update
wruauclt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*windows update
wruauclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*windows update
wruauclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
*windows update
wruauclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
*windows update
wruauclt.exe
W32/Rbot-SF spreads using a variety of techniques including exploiting weak password on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC and LSASS).
W32/Rbot-SF can be controlled by a remote attacker over IRC channels.
The following patches for the operating system vulnerabilities exploited by W32/Rbot-SF can be obtained from the Microsoft website:
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-SF (detected as W32/Rbot-Fam) since version 3.88.
|
