I've seen a variant of RBOT that was similar; the naming format is try to confuse you that it is part of windows update, which is wuauserv.exe
There is a gray area between the antivirus scanners and the spyware scanners in picking this stuff up. You'll want to get that machine patched, the registry cleaned for the HKLM, HKDU and the HKCU for whomever was logged in when it ran. If the affected OS has one, you'll also need to empty the %windir%\prefetch folder, as some antivirus scanners won't find it because the extension is renamed (or they have a blind spot for that folder). Since this worm has a dropper and an active component, you'll need to clean out both. If your antivirus scanner isn't picking it up, you can use: http://housecall.trendmicro.com which downloads an ActiveX control version of their scanner, which will do a full sweep of the local hard drive. And yes, this TrendMicro name does have aliases. Depending on which vendor you talk to, you'll also see it as GAOBOT or SDBOT. This specific name has no alias, according to this site, which is the only one I know of that tracks the virus lingo across vendors: http://www.virusbtn.com/resources/vgrep/index.xml There is also this site, to which you can upload a virus to have it checked by multiple vendors' scan engines and email you a report. Some engines have been removed due to legal pressures: http://www.virustotal.com/flash/index_en.html Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Sent: Tuesday, December 14, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] wuaurlt.exe On 14 Dec 2004 at 12:31, Nick wrote: > Has anyone seen or heard of a virus/worm that uses this file? It seems > to be attacking several pc's at my day job.. As a follow up - I just found this - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R BOT.ADG&VSect=T Nothing on mcafee or fprot though. Is there an alias that exists? Thanks again - -Nick --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
