Zone Labs Home Security you can trust.
Search Site
Home/Office Products
Download & Buy
Enterprise Solutions
Service & Support
Partner Programs
About Zone Labs LLC
Site Map
Privacy Policy
Contact Us


Zone Labs Security Advisory Severity: Medium


Overview: Zone Labs is monitoring WORM_RBOT based on a small number of infection reports. Despite the fact this worm has not reached high levels of infection rates, it does utilize the name of a Zone Labs executable (vsmon.exe) in order to confuse the computer user.

The Zone Labs vsmon.exe process will never request network access. Any program using this name and requesting network access should be treated with caution and denied network access.

ZoneAlarm Antivirus and ZoneAlarm Internet Security Suite identify and remove this worm. Within these products, the worm is identified as Win32.Rbot.GE.

Zone Labs has released this document to provide information regarding this worm and its functions, and to help users distinguish the malicious executable from the legitimate executable.

Based on the low infection rates, WORM_RBOT has been classified "Medium Risk."

Date Published: July 28, 2004
Date Last Revised: July 28, 2004

Impact: WORM_RBOT attempts to compromise system integrity in several ways:

  • Shutting down antivirus and firewall software
  • Acting as a backdoor on an infected system
  • Spreading via network shares
  • Spreading via a buffer overflow in Microsoft RPC
  • Enabling denial of service attacks

Description: Upon execution, the worm creates a new file with the following name:

  • %windows%\system32\vsmon.exe

NOTE: The legitimate location for this executable is:

  • %windows%\system32\Zone Labs\vsmon.exe

It then creates one of the following registry keys on the infected host:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Alarm = "vsmon.exe"
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Alarm = "vsmon.exe"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Zone Alarm = "vsmon.exe"

NOTE: The legitimate key for Zone Labs products is:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

The worm also attempts to connect to an IRC server on a TCP port:

  • 6667/TCP

Zone Labs Products

ZoneAlarm® security products

Program Control will alert the computer user if malicious code attempts to access the network. The Automatic Program Configuration feature included with ZoneAlarm Pro and ZoneAlarm Internet Security Suite will automatically configure programs with the proper network permissions. Users should consider upgrading to ZoneAlarm Pro or ZoneAlarm Internet Security Suite to obtain this enhanced protection.

Computer users will receive a "New Program alert" if this virus infects their system and attempts to open a TCP port. When prompted, Zone Labs users can select "No" to deny this application Internet access.

Recommended Actions:

Zone Labs products do not require the user to allow vsmon.exe access to the Internet. Therefore, users will not see a New Program alert for the legitimate vsmon.exe process. Any Program alert for this program should be considered malicious:

  • Ensure systems are patched with Microsoft patch MS03-026:
  • Monitor Program Control alerts for processes named: vsmon.exe
  • Do not allow any vsmon.exe process Internet access outbound on port: 6667/TCP
  • Update antivirus products to provide the most up-to-date protection

Related Resources:

Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: To report security issues with Zone Labs products contact

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2004 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.


    Home    Home/Office Products     Download & Buy     Enterprise Solutions     Service & Support     Partner Programs     About Zone Labs  

©1999-2006 Zone Labs LLC All rights reserved.