W32/Rbot-ZV

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Rbot-ZV is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels.

W32/Rbot-ZV spreads to network shares with weak passwords and via network security exploits as a result of the backdoor element receiving the appropriate command from a remote user, copying itself with the filename MSUPDDRV.EXE.

W32/Rbot-ZV copies itself to the Windows system folder with a random 8-character filename and creates entries at the following locations in the registry with the value "Microsoft UpToDate Driver (32-bits)" so as to run itself on system startup, resetting these values every minute:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

W32/Rbot-ZV also sets the following registry entry with the same value to point
to itself:

HKCU\Software\Microsoft\OLE

W32/Rbot-ZV drops and runs the file C:\A.BAT in order to stop certain security-related services and change certain security-related registry entries. This file is detected as Troj/Batten-A.