high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | March 2005 (3.91) |
| Protection available since | 14 January 2005 09:14:47 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-SY is a member of the W32/Rbot family of network worms. The worm can spread to weakly protected network shares and to computers vulnerable to the RPC-DCOM and LSASS exploits (see Microsoft Security Bulletins MS04-011and MS04-012 respectively).
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as wurauclt.exe and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
*windows update
wurauclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*windows update
wurauclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*windows update
wurauclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
*windows update
wurauclt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*windows update
wurauclt.exe
Once installed, W32/Rbot-SY connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
Initiate distributed denial-of-service (DDoS) attacks
Flood a remote host (by either SYN, TCP or ICMP)
Start a SOCKS4 proxy server
Port scan remote computers
Execute arbitrary commands
Upload, download and search for files
Send emails as specified by the remote user
Create and delete network shares
Browse and terminate processes running on the computer
Flush the DNS cache
The worm can also commanded to attempt to enable or disable DCOM by setting the following registry entry to either Y (enabled) or N (disabled):
HKLM\Software\Microsoft\OLE
EnableDCOM
<Y or N>
The worm can also be commanded to allow or deny anonymous access to the IPC$ share by setting the following registry entry to either 1 (denied) or 0 (allowed):
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
<0 or 1>
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Rbot-SY (detected as W32/Rbot-Fam) since version 3.88.
|
