The Web    Google
5/11: Rbot-ACH Worm Spreads Via Shares

5/11: Rbot-ACH Worm Spreads Via Shares
May 11, 2005

W32/Rbot-ACH is a Windows network worm that attempts to spread via network shares. The worm contains backdoor functions that allows unauthorized remote access to the infected computer via IRC channels while running in the background.

The worm spreads to network shares with weak passwords and also by using the following operating system vulnerabilities:

LSASS (MS04-011)
RPC-DCOM (MS04-012)
WebDav (MS03-007)
IIS5SSL (MS04-011) (CAN-2003-0719)
MSSQL (MS02-039) (CAN-2002-0649)
UPNP (MS01-059)
Dameware (CAN-2003-1030)

The worm may also spread via backdoors left open by other Trojans and worms.

The following patches for the operating system vulnerabilities exploited by W32/Rbot-ACH can be obtained from the Microsoft website:


More information can be found at Sophos page.

  • A case study in security incident forensics and response.
  • Sue a Spoofer Today
  • FTC Publishes Web Site on Fraud Cases
  • Chinese Virus Crises Mean Trouble for U.S.
  • 2/3: Rbot-SQ Worm Has Backdoor Abilities
  • 11/8: Linkbot-A Exploits LSASS Flaw
  • Author of Zafi-B Worm Trailed to Hungary
  • 2/25: Kelvir-A an Instant Messaging Worm
  • AntiOnline Spotlight: Wireless Security
  • 11/5: Backdoor.Ranky-L Enables Attacker
  • Arbor Adds Support for Cisco Firewall to DoS Appliance
  • Buy Security Camera