W32/Rbot-MC

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-MC's backdoor functionality may allow a remote intruder to:

- Access webcam
- Capture screeenshot
- Steal CD keys related to various softwares
- Capture Windows login information on Windows NT/2000
- Access files on Host computer
- Send Email messages to other host
- Download/Upload/Execute files on host
- Run Keylogger
- Sniff network traffic and carry out DDOS on target

W32/Rbot-MC copies itself to the Windows system folder as firewallsp2.exe and creates entries in the registry at the following locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Firewall: "firewallsp2.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Firewall: "firewallsp2.exe"

When triggered, W32/Rbot-MC tries to set the following registry entry to disable DCOM:

HKLM\Software\Microsoft\OLE\EnableDCOM = "N"

W32/Rbot-MC tries to set the following registry entry to restrict access to the IPC$ share on the infected computer:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"