W32/Rbot-ZY is a network worm with backdoor functionality for the Windows platform.
W32/Rbot-ZY may spread to remote network shares protected by weak passwords and computers vulnerable to common exploits. The worm also opens up a backdoor, allowing unauthorised remote access to infected computers via the IRC network, while running in the background as a service process. The worm exploits vulnerabilities including: RPC-DCOM (MS04-012) and LSASS (MS04-011).
W32/Rbot-ZY can receive commands from a remote intruder to delete network shares, log keypresses, participate in DDoS attacks, scan other computers for vulnerabilities, steal passwords, steal registration keys for computer games, create administrator accounts, terminate firewall and anti-virus processes and capture video from webcameras attached to the computer.
W32/Mytob-W is a mass-mailing network worm with backdoor functionality that targets users of Internet Relay Chat programs.
Emails sent by W32/Mytob-W have the following characteristics:
The subject line is one of the following:
Mail Delivery System
Mail Transaction Failed
The message text is one of the following lines:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The original message was included as an attachment.
Here are your banks documents
The worm is included as an attachment to the message, either as an executable file (with CMD, BAT, DOC, HTM, PIF, SCR, TMP, TXT, EXE or COM extension) or as a ZIP file containing the executable. The filename (excluding file extension) is chosen from the following list: