high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 23 September 2005 06:28:47 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Codbot-AA is a network worm with backdoor Trojan functionality for the Windows platform.
The backdoor component of W32/Codbot-AA connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
W32/Codbot-AA spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
IMAIL Server
ASN.1 (MS04-007)
Patches for the vulnerabilities exploited by W32/Codbot-AA can be obtained from Microsoft at:
MS04-011
MS04-012
MS04-007
W32/Codbot-AA is a network worm with backdoor Trojan functionality for the Windows platform.
When run, W32/Codbot-AA copies itself to the Windows system folder as a read-only, hidden, system file winjava.exe and registers itself as a service process with the following properties:
"Description"="Interacts Javascript with the current system."
"DisplayName"="Enables Java Support"
"ImagePath"=<System>\winjava.exe
The following registry entries are created to run winjava.exe as a service process each time the computer starts up:
HKLM\SYSTEM\CurrentControlSet\Services\Java
<several entries>
W32/Codbot-AA also sets values under the following registry entries so that winjava.exe is also run when booting in safe-mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Java\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Java\
The backdoor component of W32/Codbot-AA connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
W32/Codbot-AA spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
IMAIL Server
ASN.1 (MS04-007)
Patches for the vulnerabilities exploited by W32/Codbot-AA can be obtained from Microsoft at:
|
