W32/Rbot-XJ

Aliases	W32/Sdbot.worm.gen.y WORM_SDBOT.AUO
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Included in our products from	April 2005 (3.92)
Protection available since	9 March 2005 14:52:28 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-XJ is a variant of the Rbot family of worms with a backdoor functionality for the Windows pltaform that spreads to weakly protected network shares and by exploiting a number of known vulnerabilities as a result of a remote command.

Once executed, W32/Rbot-XJ copies itself as a hidden file with system attributes to the Windows system folder with the filename PCsync.exe, and in order to be able to run automatically when Windows starts up sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PcSync
"PCsync.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PcSync
"PCsync.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
PcSync
"PCsync.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
PcSync
"PCsync.exe"

Also, W32/Rbot-XJ sets the following registry entries:

HKCU\Software\Microsoft\OLE
PcSync
"PCsync.exe"

HKLM\Software\Microsoft\OLE
PcSync
"PCsync.exe"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
PcSync
"PCsync.exe"

HKCU\Software\Microsoft\OLE
PcSync
"PCsync.exe"

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
PcSync
"PCsync.exe"

W32/Rbot-XJ may modify the setting of the following registry entry to enable or disable anonymous access to the IPC$ share:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous

The worm may also be instructed to enable or disable DCOM, by modifying the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM

When installed, W32/Rbot-XJ connects to a preconfigured IRC server and joins a
channel from which an attacker can issue further commands. These commands can
cause the infected computer to perform any of the following actions:

Scan for remote computers to infect
Start an HTTP, an FTP, or a SOCKS4 server
Log any keystrokes made on an infected computer
Flood a remote computer using ICMP, SYN, UDP or TCP
Search for, upload, download, and execute files
Browse and attempt to modify any services installed on the computer
Participate in a distributed denial-of-service (DDoS) attack
List and terminate processes
Attempt to disable security software
Create and delete network shares

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-XJ

Summary

Action

More Information