Category: Viruses and Spyware
Type: Win32 executable file virus
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-ATC is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-ATC spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812) and by copying itself to network shares protected by weak passwords.

W32/Rbot-ATC runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-ATC includes functionality to:

- carry out DDoS flooder attacks
- silently download, install and run new software, including updates of its software

When first run W32/Rbot-ATC copies itself to <System>\MSAOL32dll.exe.

The following registry entries are created to run MSAOL32dll.exe on startup:

AOL Instant Messenger dll runtime

AOL Instant Messenger dll runtime

AOL Instant Messenger dll runtime

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ATC can be obtained from the Microsoft website:

<a href= "http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx" target="_blank">MS04-011</a>
<a href= "http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx" target="_blank">MS04-012</a>
<a href= "http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx" target="_blank">MS03-049</a>