W32/Rbot-XN

Please follow the instructions for removing worms.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-XN is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-XN connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may spread to network shares with weak passwords or by DCC.

W32/Rbot-XN contains backdoor functionality including the ability to do any of the following:

participate in denial-of-service attacks
exploit vulnerabilities
download files including updates
steal passwords
capture video images
provide a remote command shell
steal software registration keys
delete network shares

When first run the worm copies itself to the Windows system folder as WINI.EXE and creates the following registry entries in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AdAware
wini.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
AdAware
wini.exe

The worm may create the following additional registry entry:

HKCU\Software\Microsoft\OLE
AdAware
wini.exe