W32/Rbot-UD

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

Check the following items

• To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
• The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
• Check your administrator passwords and review network security.

W32/Rbot-UD is a member of the W32/Rbot family of network worms. The worm can spread to weakly protected network shares, and to computers vulnerable to the RPC-DCOM, LSASS and WebDav exploits. See Microsoft Sercurity Bulletins MS04-012, MS04-011 and MS03-007 respectively.

The worm has a backdoor component that connects to a preconfigured IRC channel, allowing an attacker to issue instructions to the worm, thus giving access to an infected computer.

W32/Rbot-UD can be instructed to log any keystrokes made on an infected computer,
search for and retrieve product keys, upload, download and search for files, and participate in distributed denial-of-service (DDoS) attacks. W32/Rbot-UD is a member of the W32/Rbot family of network worms. The worm can spread to weakly protected network shares, and to computers vulnerable to the RPC-DCOM, LSASS and WebDav exploits. See Microsoft Sercurity Bulletins MS04-012, MS04-011 and MS03-007 respectively.

In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as icp.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Internet Content Publisher
icp.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Internet Content Publisher
icp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Content Publisher
icp.exe

Once installed, W32/Rbot-UD connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:

Initiate distributed denial-of-service (DDoS) attacks
Flood a remote host (by either SYN, TCP, UDP, ICMP or ping)
Steal product keys
Start a SOCKS4 or HTTP server
Scan remote computers for vulnerabilities
Execute arbitrary commands
Upload, download and search for files
Send emails as specified by the remote user
Create and delete network shares
Browse and terminate processes running on the computer
Log any keystrokes made on the computer

The worm can be commanded to secure an infected computer from further infection, or open it up for further infection. Securing an infected computer involves deleting any network shares and disabling DCOM by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
N

Additionally, anonymous access to the IPC$ is restricted by setting the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

To allow further infection on an infected computer a C$ network share is added, and DCOM is enabled by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
Y

Anonymous access to the IPC$ is allowed by setting the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0