病毒资料——W32/Rbot-ALN
This section is for technical experts who want to know more.
W32/Rbot-ALN is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-ALN spreads:
- to other network computers infected with W32/MyDoom
- to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012) and WKS (MS03-049) (CAN-2003-0812)
- by copying itself to network shares protected by weak passwords
The following patches for the operating system vulnerabilities exploited by W32/Rbot-ALN can be obtained from the Microsoft websites:
MS03-049
MS04-011
MS04-012
When first run W32/Rbot-ALN copies itself to <System>\Smoked.exe and creates the file <Temp>\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe.
The following registry entries are created to run Smoked.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicroedSoft Toolbar
Smoked.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Smoked.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
MicroedSoft Toolbar
Smoked.exe
W32/Rbot-ALN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-ALN can be instructed t
Scan for remote computers to spread to
Act as an HTTP or an FTP proxy server
Log any keystrokes made on an infected computer
Steal product leys
Upload, download, search for, and execute files
Participate in distributed denial-of-service (DDoS) attacks
Create, delete, start, and stop services
