Malware type: Worm

Aliases: Backdoor.Win32.Rbot.aeu (Kaspersky), W32/Sdbot.worm.gen.ac (McAfee), W32.Spybot.Worm (Symantec), TR/Downloader.Gen (Avira), W32/Rbot-AQL (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

This memory-resident worm propagates through network shares by dropping a copy of itself into specific shared folders. If these folders are password-protected, this worm uses a list of user names and passwords to gain access.

It also takes advantage of several vulnerabilities to propagate. For more information, please refer to the following Web pages:

• Microsoft Security Bulletin MS01-059
• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS03-039
• Microsoft Security Bulletin MS04-007
• Microsoft Security Bulletin MS04-011
• DameWare Remote Control Service Stack Overflow Exploit
• Veritas Backup Exec Name Service Remote Buffer Overflow Vulnerability

This worm has backdoor capabilities. It opens random ports to connect to an Internet Relay Chat (IRC) server and joins a specific IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine, which, in turn, effectively compromises the system' security

Part of this worm's backdoor capabilities are information theft and process termination. It steals the CD keys of several popular games if they are installed on the affected system. It also terminates processes, most of which are related to antivirus and security applications. Terminating the said processes further render the affected system vulnerable to this worm's malicious routines.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 7, 2005 6:10:21 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.