high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | June 2005 (3.94) |
| Protection available since | 7 March 2005 22:03:23 (GMT) |
| Last updated | 29 April 2005 13:44:50 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rbot-XB a network worm with backdoor functionality for the Windows platform.
W32/Rbot-XB spreads to weakly protected network shares and to computers vulnerable to the LSASS, RPC-DCOM, and IIS5SSL exploits.
For more information about these vulnerabilities see MS04-011 (for both theLSASS and IIS5SSL exploits) and MS04-012 (for the RPC-DCOM exploit).
Once executed W32/Rbot-XB copies itself to the Windows system folder with the filename cthelper.exe, and in order to be able to run automatically when Windows starts up sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CTHelper
cthelper.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTHelper
cthelper.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
CTHelper
cthelper.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTHelper
cthelper.exe
W32/Rbot-XB also sets the following registry entries:
HKCU\Software\Microsoft\OLE
CTHelper
cthelper.exe
HKLM\Software\Microsoft\OLE
CTHelper
cthelper.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
CTHelper
cthelper.exe
HKCU\Software\Microsoft\OLE
CTHelper
cthelper.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
CTHelper
cthelper.exe
W32/Rbot-XB may modify the setting of the following registry entry to enable or disable anonymous access to the IPC$ share:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
The worm may also be instructed to enable or disable DCOM, by modifying the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
When installed W32/Rbot-XB connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
Scan for remote computers to infect
Start a HTTP, an FTP, or a SOCKS4 server
Log any kesytrokes made on an infected computer
Flood a remote computer using ICMP, SYN, UDP or TCP
Search for, upload, download, and execute files
Browse and attempt to modify any services installed on the computer
Participate in a distributed denial-of-service (DDoS) attack
List and terminate processes
Attempt to disable security software
Create and delete network shares
|
