high
Summary
Summary
Action- More Information
| Included in our products from | May 2004 (3.81) |
|---|---|
| Protection available since | 24 March 2004 10:02:15 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Change any data that may have become compromised.
Delete the log file \debug.txt if it exists.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wuamgrd.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Microsoft Update = wuamgrd.exe
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunRunOnce\Microsoft Update = wuamgrd.exe
and delete them if they exist.
Close the registry editor and reboot your computer.
More Information
W32/RBot-A is a worm with a backdoor component that spreads on weakly protected network shares on the Windows platform. The worm spreads by scanning random IP addresses for open SMB ports (445) and trying to copy itself to the Windows system folder on the remote Admin$ and C$ shares as the file wuamgrd.exe.
W32/RBot-A uses an internal dictionary of common passwords to gain access. The worm attempts to schedule the copied file for later execution on the remote machine.
W32/RBot-A also has a backdoor component that allows a malicious user remote access to an infected computer. When run the worm attempts to contact a remote IRC server and join a specific channel to listen for commands.
Besides the capability to spread W32/RBot-A also allows the remote user to set up a proxy server, start a HTTP server on a user specified port, collect system information, add or delete shares and users, kill processes, download and execute files, send email, remotely control a connected web cam, sniff network traffic or launch a denial-of-service attack against a user specified target.
In order to run automatically when Windows starts up W32/RBot-A copies itself to the file wuamgrd.exe in the Windows system folder and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Update = wuamgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wuamgrd.exe
HKU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wuamgrd.exe
HKU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Update = wuamgrd.exe
The worm also creates the log file \debug.txt.
|
