| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Low |
| |
| Name | W32/Rbot-AMA |
| Type | Worm |
| How it spreads | Network Shares |
| Affected operating systems | Windows |
| Aliases | Backdoor.Win32.Rbot.aam |
| Date of surface | 30 August 2005 |
Description |
This is a worm and IRC backdoor Trojan for the Windows platform. It spreads to other network computers by exploiting common buffer overflow vulnerabilites, including:
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)
W32/Rbot-AMA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AMA includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AMA can be obtained from the Microsoft website:
MS04-012
MS05-039
MS04-007
|
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
This is a worm and IRC backdoor Trojan for the Windows platform. It spreads to other network computers by exploiting common buffer overflow vulnerabilites, including:
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)
W32/Rbot-AMA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-AMA includes functionality to:
- carry out DDoS flooder attacks
- silently download, install and run new software
- access the internet and communicate with a remote server via HTTP
The following patches for the operating system vulnerabilities exploited by W32/Rbot-AMA can be obtained from the Microsoft website:
MS04-012
MS05-039
MS04-007
When first run W32/Rbot-AMA copies itself to "System"\updates.pif.
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
System Updates Service
updates.pif
HKCU\Software\Microsoft\OLE
System Updates Service
updates.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
System Updates Service
updates.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Updates Service
updates.pif
HKLM\SOFTWARE\Microsoft\Ole
System Updates Service
updates.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Updates Service
updates.pif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Updates Service
updates.pif
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
System Updates Service
updates.pif
|
|
|
|
|
| |
|
|
|