Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.x (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.CY (Avira), W32/Rbot-FL (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This worm takes advantage of the following Windows vulnerabilities to propagate across networks:

• Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
• Buffer Overflow in SQL Server 2000 vulnerability
• IIS5/WEBDAV buffer overrun vulnerability
• LSASS vulnerability

For more information about these vulnerabilities, please refer to the following Microsoft pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS02-061
• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS04-011

It spreads via network shares using NetBEUI functions to get available lists of user names and passwords. It then drops a copy of itself on accessed shared folders.

Apart from the gathered user names and passwords, it may also use a list of weak user names and passwords hardcoded in its body in order to gain access on target machines.

It has backdoor capabilities, and may execute commands coming from a remote malicious user. It also steals CD keys of certain game applications.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 18, 2004 4:09:54 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.