32/Rbot-ZZZ is a worm with backdoor functionality for the Windows platform.
W32/Rbot-ZZZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
IIS5SSL (ms04-011) (CAN-2003-0719)
Veritas (CAN-2004-1172)
WINS (MS04-045)
PNP (MS05-039)
IMAIL Server
ASN.1 (MS04-007)
RealVNC (CVE-2006-2369)
W32/Rbot-ZZZ can be instructed to perform the following functions:
start an FTP server
start a Proxy server
start a web server
start an IRC daemon
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
turn off security software such as anti-virus or firewall
The worm may also spread via networks shares protected by weak passwords.
When first run W32/Rbot-ZZZ copies itself to
\.exe and creates the following registry entries to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows LOL Layer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows LOL Layer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows LOL Layer
W32/Rbot-ZZZ sets the following registry entries in order to secure the infected computer against further exploits:
HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1