W32/Rbot-NY

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Included in our products from	December 2004 (3.88)
Protection available since	26 October 2004 17:15:38 (GMT)
Last updated	27 October 2004 13:49:22 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Rbot-NY is a network worm and IRC backdoor Trojan for the Windows platform.

When first run W32/Rbot-NY copies itself to the Windows system folder as crsss64.exe and creates the following registry entries to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CRC Value Verifier = "crsss64.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
CRC Value Verifier = "crsss64.exe"

HKCU\Software\Microsoft\OLE\
CRC Value Verifier = "crsss64.exe"

W32/Rbot-NY spreads through various operating system vulnerabilities and through network shares protected by weak passwords.

The backdoor component allows an attacker to control the infected computer and offers functions such as:

Keystroke logging
Distributed denial of service attacks
Packet sniffing
Remote login
Video capture
File transfer
Proxy server

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rbot-NY

Summary

Action

More Information