W32/Doxpar-E is a network worm with password stealing capabilities for the
Windows platform.
W32/Doxpar-E spreads to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011).
W32/Doxpar-E will spy on a user's internet access and attempt to steal banking
related details. The worm will attempt to terminate certain security-related
services.
When first run W32/Doxpar-E copies itself to <System>\<random filename>.exe and
creates the following files:
\boot.sys
<System>\<random>.dll
The file boot.sys is detected by Sophos's anti-virus product as Troj/Padodor-Y
and the file <random>.dll is detected by Sophos's anti-virus product as
W32/Doxpar-C.
The following registry entry is created to run code exported by the worm
library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
DBGA0EEG
(54206BCE-0715-687D-5BFC-660B572D5F06)
The file Laabph32.dll is registered as a COM object, creating registry entries
under:
HKCR\CLSID\(54206BCE-0715-687D-5BFC-660B572D5F06)