W32/Rbot-VZ

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	April 2005 (3.92)
Protection available since	15 February 2005 16:51:46 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-VZ is a member of the W32/Rbot family of network worms. The worm can spread to computers vulnerable to the LSASS, RPC-DCOM, and IIS5SSL exploits. For more information see Microsoft Security Bulletins MS04-011 (for both the LSASS and IIS5SSL exploits) and MS04-012 (for the RPC-DCOM exploit). The worm can also spread to weakly protected network shares.

In order to run automatically when Windows starts up the worm copies itself
to the Windos system folder as atidrvxx.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AtiDisplayDrv
atidrvxx.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
AtiDisplayDrv
atidrvxx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AtiDisplayDrv
atidrvxx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
AtiDisplayDrv
atidrvxx.exe

Once installed, W32/Rbot-VZ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

Scan for remote computers to infect
Start a HTTP, an FTP, or a SOCKS4 server
Log any kesytrokes made on an infected computer
Flood a remote computer using ICMP, SYN, UDP or TCP
Search for, upload, download, and execute files
Browse and attempt to modify any services installed on the computer
Participate in a distributed denial-of-service (DDoS) attack
List and terminate processes
Attempt to disable security software
Create and delete network shares

The worm may also modify the setting of the following registry entry to enable or disable anonymous access to the IPC$ share:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous

The worm may also be instructed to enable or disable DCOM, by modifying the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM

The worm also attempts to set the following registry entries:

HKCU\Software\Microsoft\OLE
Windows Messenger Service
winsmsgr.exe

HKLM\Software\Microsoft\OLE
AtiDisplayDrv
atidrvxx.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AtiDisplayDrv
atidrvxx.exe

HKCU\Software\Microsoft\OLE
AtiDisplayDrv
atidrvxx.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
AtiDisplayDrv
atidrvxx.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-VZ

Summary

Action

More Information