Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Rbot-XB.....HELP!


  • Please log in to reply
1 reply to this topic

#1 OFFENBARK

OFFENBARK

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 05 June 2005 - 11:18 PM

For the past 2 months my PC has had an unwelcome/un-removeable 'guest'. I've tried everything, PC repair shops, new hard-drive, Norton Internet Security but nothing so far has totally solved the problem. I now have a new install of Windows XP SP2 with every unessential service disabled, a new IP address with new isp username and password, all of which is sort of keeping him out, but he is still trying to log on and change my password about 3 times a day.I have yet to install any software, and being a music buff I know that Windows doesn't come with Asio drivers that run from startup and access the internet, so I can only assume that my 'CTHELPER.EXE' is really W32/Rbot-XB. I have all the symptoms, and it used to turn on my file sharer overnight. Long story short, the Norton site doesn't even list it, so how can I clean my system before my password is cracked? Ta....PB

BC AdBot (Login to Remove)

 


#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 06 June 2005 - 05:59 AM

Sophos W32/Rbot-XB

W32/Rbot-XB a network worm with backdoor functionality for the Windows platform.

W32/Rbot-XB spreads to weakly protected network shares and to computers vulnerable to the LSASS, RPC-DCOM, and IIS5SSL exploits.

For more information about these vulnerabilities see MS04-011 (for both theLSASS and IIS5SSL exploits) and MS04-012 (for the RPC-DCOM exploit).

Once executed W32/Rbot-XB copies itself to the Windows system folder with the filename cthelper.exe, and in order to be able to run automatically when Windows starts up sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
CTHelper
cthelper.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTHelper
cthelper.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
CTHelper
cthelper.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
CTHelper
cthelper.exe

W32/Rbot-XB also sets the following registry entries:

HKCU\Software\Microsoft\OLE
CTHelper
cthelper.exe

HKLM\Software\Microsoft\OLE
CTHelper
cthelper.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
CTHelper
cthelper.exe

HKCU\Software\Microsoft\OLE
CTHelper
cthelper.exe

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
CTHelper
cthelper.exe

W32/Rbot-XB may modify the setting of the following registry entry to enable or disable anonymous access to the IPC$ share:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous

The worm may also be instructed to enable or disable DCOM, by modifying the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM

When installed W32/Rbot-XB connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

Scan for remote computers to infect
Start a HTTP, an FTP, or a SOCKS4 server
Log any kesytrokes made on an infected computer
Flood a remote computer using ICMP, SYN, UDP or TCP
Search for, upload, download, and execute files
Browse and attempt to modify any services installed on the computer
Participate in a distributed denial-of-service (DDoS) attack
List and terminate processes
Attempt to disable security software
Create and delete network shares


Removing worms with Sophos

If you download and run RescueME one of the scanners you can pick is Sophos and you won't have to bother with learning the dos commands. I would also suggest running at least one other of the AV scanners to clean your system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users