Malware type: Worm

Aliases: Backdoor.Win32.Rbot.pb (Kaspersky), W32/Sdbot.worm.gen.by (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.PB.12 (Avira), Mal/IRCBot-B (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This worm arrives through network shares. Upon execution, it drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every Windows startup.

It propagates through network shares. It gathers cached user names and passwords in a system. It also uses a list of user names and passwords. It drops a copy of itself into several shares. For shares with restricted access, it uses the gathered user names and passwords, or the list of user names and passwords.

It also exploits the following vulnerabilities to propagate:

• Buffer Overflow in SQL Server 2000 vulnerability
• RPCSS vulnerabilty
• ASN.1 vulnerability
• Windows LSASS vulnerability

More information can be found on the following pages:

• Microsoft Security Bulletin MS02-061
• Microsoft Security Bulletin MS03-039
• Microsoft Security Bulletin MS04-007
• Microsoft Security Bulletin MS04-011

It has backdoor capabilities. It acts as an Internet Relay Chat (IRC) bot that connects to a certain IRC server. It joins a channel upon connection and listens for commands coming from a remote user. It executes these commands on the affected machine.

It performs denial of service attacks and steals the CD keys of several games.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 3, 2005 1:50:40 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.