Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.98816.4 (Avira), W32/Rbot-Gen (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident worm propagates by dropping copies of itself to certain network shares. It may use a list of user names and passwords to gain access to target machines:

It also takes advantage of the capabilities of certain malware variants, as well as the following Windows vulnerabilities to propagate across networks:

• Buffer Overflow in SQL Server 2000 vulnerability
• IIS/WebDAV vulnerability
• RPC/DCOM vulnerability
• LSASS vulnerability

More information about these vulnerabilities can be found on the following Microsoft pages:

• Microsoft Security Bulletin MS02-061
• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS04-011

This worm also has backdoor capabilities, and may execute commands coming from a remote malicious user. It also steals the Windows Product ID, as well as the CD keys of certain applications.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 4, 2005 1:57:07 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.