high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | April 2005 (3.92) |
| Protection available since | 22 February 2005 09:44:09 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-WI is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-WI moves itself to the Windows system folder as winis.exe and creates the following registry entries:
HKCU\Software\Microsoft\<non-roman character>ndows\CurrentVersion\Run
winis
winis.exe
HKCU\Software\Microsoft\<non-roman character>ndows\CurrentVersion\RunServices
winis
winis.exe
HKLM\SOFTWARE\Microsoft\<non-roman character>ndows\CurrentVersion\Run
winis
winis.exe
HKLM\SOFTWARE\Microsoft\<non-roman character>ndows\CurrentVersion\RunServices
winis
winis.exe
HKLM\SOFTWARE\Microsoft\Ole
winis
winis.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
winis
winis.exe
HKLM\Software\Microsoft\Ole\EnableDCOM = N
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous = 1
W32/Rbot-WI speads to network shares with weak passwords and by exploiting system vulnerabilities including the RPC DCOM (MS04-012) and LSASS (MS04-011) vulnerabilities.
W32/Rbot-WI can also download and execute remote files on the infected computer, log keystrokes and flood other computers with network packets and terminate processes.
|
