W32/Rbot-VI

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-VI is a worm with backdoor Trojan functionality.

W32/Rbot-VI is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Rbot-VI will attempt to spread by exploiting the following vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
Workstation Service (MS03-049)
Backdoors left open by other worms and Trojans such as W32/MyDoom,
W32/Bagle, Troj/Kuang and Troj/NetDevil.

When first run, W32/Rbot-VI copies itself to the Windows system folder as MSAPPS.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs in, W32/Rbot-VI will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft SpA Service
msapps.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft SpA Service
msapps.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft SpA Service
msapps.exe

The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.

W32/Rbot-VI can alter the following registry entries in order to enable/disable DCOM and open/close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

W32/Rbot-VI can add and delete network shares and users on the infected computer.