W32/Dopbot-B is a worm and IRC backdoor Trojan for the Windows platform.
W32/Dopbot-B spreads to other network computers infected with Troj/Optix and to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011) and Veritas (CAN-2004-1172).
W32/Dopbot-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Dopbot-B includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Dopbot-B copies itself to <Windows system folder>\msmsngr.exe and creates the file <Temp>\5540tmp.bat which is harmless and can be safely deleted.
The following registry entries are created to run msmsngr.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msmsngr
<Windows system folder>\msmsngr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msmsngr
<Windows system folder>\msmsngr.exe
W32/Dopbot-B also attempts to harden the computer against further attacks by downloading a patch for the LSASS exploit from the Microsoft website. Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
2
A patch for the operating system vulnerability exploited by W32/Dopbot-B can be obtained from Microsoft at:
MS04-011