W32/Codbot-L

Category:	Viruses and Spyware
Type:	Win32 worm
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Codbot-L is a worm with backdoor functionality for the Windows platform.

W32/Codbot-L can spread to weakly protected network shares, weakly protected Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit.

The following patches for the operating system vulnerabilities exploited by W32/Codbot-L can be obtained from the Microsoft website:

MS04-012

W32/Codbot-L runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The intruder can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network. W32/Codbot-L is a worm with backdoor functionality for the Windows platform.

W32/Codbot-L can spread to weakly protected network shares, weakly protected Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit.

The following patches for the operating system vulnerabilities exploited by W32/Codbot-L can be obtained from the Microsoft website:

MS04-012

When first run W32/Codbot-L copies itself to <Windows system folder>\rpcclient.exe.

W32/Codbot-L is registered as a new system driver service named "RpcClient", with a display name of "Remote Procedure Call (RPC) Client" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\RpcClient\

Registry entries are set as follows:

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

Try Sophos products for free
Download now

W32/Codbot-L

Free Mac Anti-Virus

Popular topics