W32/Rbot-WO

Please follow the instructions for removing worms.

W32/Rbot-WO is a network worm and backdoor for the Windows platform. The worm spreads to network shares and computers with unpatched operating system vulnerabilities.

The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.

The worm copies itself to a file named winis.exe in the Windows system folder and creates the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
xp
winis.exe

HKCU\Software\Microsoft\ndows\CurrentVersion\Run
xp
winis.exe

HKCU\Software\Microsoft\ndows\CurrentVersion\RunServices
xp
winis.exe

HKCU\Software\Microsoft\OLE
xp
winis.exe

HKLM\SOFTWARE\Microsoft\ndows\CurrentVersion\Run
xp
winis.exe

HKLM\SOFTWARE\Microsoft\ndows\CurrentVersion\RunServices
xp
winis.exe

HKLM\SOFTWARE\Microsoft\Ole
xp
winis.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
xp
winis.exe

W32/Rbot-WO spreads using a variety of techniques including exploiting weak password on computers and SQL servers, exploiting operating system vulnerabilites (including DCOM-RPC and LSASS) and using backdoors opened by other worms or Trojans.

W32/Rbot-WO can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WO can be used to:

start a proxy server
enable remote login (rlogin)
log keystrokes on the infected computer
filesystem manipulation
start/stop system services
take part in denial of service attacks (DoS)
terminate processes

Patches for the operating system vulnerabilities exploited by W32/Rbot-WO can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx