Subscribe0 0
This worm spreads via the Internet using MSN Messenger. It is written in Visual Basic and is approximately 160KB in size. The worm contains a backdoor program, Backdoor.Win32.Rbot.fy which it will extract from itself and launch on the victim machine.
InstallationOnce launched, the worm copies itself to the root directory (as a rule, C:\) under one of the following names:
Drunk_lol.pif love_me.pif naked_party.pif sexy_bedroom.pif Webcam_004.pif
The worm also creates a file in the Windows system directory which will have one of the names from the list below:
%System%\adaware.exe %System%\lexplore.exe %System%\VB6.EXE %System%\Win32.exe
This file contains the backdoor program.
The worm then registers this file in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKCU\Software\Microsoft\OLE] "lexplore" = "lexplore.exe"Propagation via MSN
When launched, the worm accesses the MSN Messenger contact list and sends itself to all contacts under one of the following names:
Drunk_lol.pif love_me.pif naked_party.pif sexy_bedroom.pif Webcam_004.pifPayload
The worm will prevent the following files from being executed:
cmd.exe taskmgr.exe
The worm will also prevent the user from accessing context menu functions by via the right mouse button.
Hot Articles