The Web    Google
6/28: Rbot-CA Allows Remote Access

6/28: Rbot-CA Allows Remote Access
June 28, 2004

W32/Rbot-CA is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorized remote access to the infected computer via IRC channels while running in the background as a service process. W32/Rbot-CA spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-CA moves itself to the Windows system folder as a randomly named read-only, hidden, system EXE file and creates entries in the registry at the following locations to run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Updating =
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft Updating =
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Updating =

More information is atSophos page.

  • 2/3: Rbot-SQ Worm Has Backdoor Abilities
  • Wi-Fi Planet Toronto: Security Taking Hold
  • FTC: Identity Theft, Fraud on the Rise
  • It's Time to Talk Mobile Phone Security
  • 5/2: Oscarbot Virus Spreads a Hyperlink
  • New nCipher Product Targets Online Payment Card Fraud
  • Microsoft to Strike IE URL Passwords
  • 3/7: Kelvir-B an Instant Messaging Worm
  • 4/15: Sdbot-XC Worm Targets Passwords
  • 1/12: Bobax-D Worm Exploits LSASS Flaw
  • Vericept Adds Fraud, Identity Theft Protection
  • Compare Security Camera Products