W32/Rbot-WX

Taken from: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html

Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:


    * start an FTP server

    * start a Proxy server

    * start a web server

    * take part in distributed denial of service (DDoS) attacks

    * log keypresses

    * capture screen/webcam images

    * packet sniffing

    * port scanning

    * download/execute arbitrary files

    * start a remote shell (RLOGIN)


The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"

Aliases: Backdoor.Win32.IRCBot.y

Affected operating systems: Microsoft Windows Operating Systems

Side effects::
    *  Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

To scan your computer for  W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan