W32/Ritdoor-B

Please read the instructions for removing W32/Ritdoor-B.

W32/Ritdoor-B is a worm and backdoor for the Windows platform.

W32/Ritdoor-B spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and PNP (MS05-039).

W32/Ritdoor-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Ritdoor-B includes functionality to download, install and run new software. W32/Ritdoor-B is a worm and backdoor for the Windows platform.

W32/Ritdoor-B spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011) and PNP (MS05-039).

W32/Ritdoor-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Ritdoor-B includes functionality to download, install and run new software.

When first run W32/Ritdoor-B copies itself to:

<Windows folder>\msdeff.exe
<Windows folder>\winlogon.exe

and creates the file <Windows folder>\mstempf.exe.

The following registry entry is created to run W32/Ritdoor-B on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RPCserr32g
<Windows folder>\winlogon.exe

W32/Ritdoor-B sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer
IEPfsgdc
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
DisableRegistryTools
0