W32/Rbot-AMR

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-AMR is an internet worm and backdoor Trojan for the Windows platform.

W32/Rbot-AMR spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares.

W32/Rbot-AMR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-AMR is an internet worm and backdoor Trojan for the Windows platform.

W32/Rbot-AMR spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AMR can be obtained from the Microsoft website:

MS04-012.
MS05-039.
MS04-007.

W32/Rbot-AMR runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AMR copies itself to <System>\ms-dos.pif.

The following registry entries are created to run ms-dos.pif on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS-DOS Security Service
ms-dos.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS-DOS Security Service
ms-dos.pif

W32/Rbot-AMR includes functionality to:

- execute arbitrary commands
- start an FTP server
- steal confidential information
- download, install and run new software, including updates of its software

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
MS-DOS Security Service
ms-dos.pif

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
MS-DOS Security Service
ms-dos.pif

HKCU\Software\Microsoft\OLE
MS-DOS Security Service
ms-dos.pif

HKLM\SOFTWARE\Microsoft\Ole
MS-DOS Security Service
ms-dos.pif