W32 / Rbot-T is a worm that spreads through system shares or folders. The worm also contains a Trojan component that allows unauthorized access to remote computers via IRC channels.
Aliases: Backdoor.Rbot.gen, W32 / Sdbot.worm.gen.h
Date appeared: 5/27/2004
Describe:
- W32 / Rbot-T clone itself into the system directory under the name NAVSCAN64.EXE
and to be able to automatically run when the system boots, worms will generate a value in the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
- W32 / Rbot-T can generate some values in the registry key as follows: & nbsp;
HKLMSOFTWAREMicrosoftOle EnableDCOM = "N"
HKLMSYSTEMCurrentControlSetControlLsa restrictanonymous = "1"
- W32 / Rbot-T will probably delete the default sharing formats C $, D $, E $, IPC $ and ADMIN $ on the infected machine.
- W32 / Rbot-T can also record keyboard tasks and save to a file named DEBUG.TXT in the Windows directory.
& nbsp;
