Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 26 Feb 2007
Damage: Low

Characteristics: The W32.Rinbot!gen worm is a generic identification for variants of the worm family. It performs different actions by linking to a configurable IRC server and going to a specific channel to listen for commands.

More details about W32.Rinbot!gen

The W32.Rinbot!gen worm is identified as a network worm. It distributes copy of itself on accessible drives on the user’s computer. The application also propagates on shared resources on the network. Unsecured shared folders and network shares with weak passwords are prone to the infection of the W32.Rinbot!gen worm. It replaces a legitimate file stored on the computer with a copy of itself. The W32.Rinbot!gen worm application provides unauthorized access on the user’s computer. This feature is enabled by the backdoor functionality of the program. A remote user may issue commands on the computer by utilizing the opening created by the application. The remote commands are sent to the computer through an Internet Relay Chat (IRC) channel. An unauthorized user may perform several remote actions through the ports opened by the program. These remote activities include managing the installation of the application, viewing system information, transmitting the program to other IRC users and creating IRC accounts. The remote user may also disable firewalls and security programs on the computer.

Once the W32.Rinbot!gen worm is executed, the worm variants could connect to an IRC server, join a particular channel, and listen for commands to do various actions. W32.Rinbot!gen can also propagate by making use of the vulnerabilities such as “Microsoft SQL Server 2000 or MSDE 2000 audit (Bugtraq ID 5980)”, “Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (Bugtraq ID 19409)”, and “Symantec Client Security and Symantec AntiVirus Elevation of Privilege (Bugtraq ID 18107)”.The W32.Rinbot!gen worm can be eliminated from the PC manually. To do this, you have to make sure that the virus definitions are updated. You need to run a complete system scan and eliminate all the files it detected as W32.Rinbot!gen. Restore the original values of the system registry entries if required. Close the registry editor and reboot your PC. To verify if the threat and its variants have been completely eliminated, make a full scan using an effective anti-malware or antivirus software program.