W32/Rbot-ADJ

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-ADJ is a worm with IRC backdoor functionality for the Windows platform.

W32/Rbot-ADJ spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), MSSQL (MS02-039) (CAN-2002-0649) and UPNP (MS01-059) and by copying itself to network shares protected by weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ADJ can be obtained from the Microsoft website:

MS04-011
MS04-012
MS02-039
MS01-059

W32/Rbot-ADJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-ADJ copies itself to <Windows system folder>\Ad-Aware.exe and creates the following registry entries to run Ad-Aware.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ad-Aware
Ad-Aware.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ad-Aware
Ad-Aware.exe

W32/Rbot-ADJ may also set the following registry entry:

HKCU\Software\Microsoft\OLE
Ad-Aware
Ad-Aware.exe