W32/Rbot-AWW

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-AWW is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-AWW runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-AWW spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including LSASS, WebDAV, PNP and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-AWW can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AWW can be instructed by a remote user to perform the following functions:

get user information for certain game related applications
start an FTP server
take part in distributed denial of service (DDoS) attacks
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

When W32/Rbot-AWW is installed it creates the file <System>\svkp.sys.

The file SVKP.sys is registered as a new system driver service named "SVKP", with a display name of "SVKP" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\SVKP\

When first run W32/Rbot-AWW copies itself to <System>\VSSMON.exe.

The following registry entries are created to run VSSMON.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM
VSSMON.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService
SYSTEM
VSSMON.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SYSTEM
VSSMON.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1