high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 26 September 2005 01:46:08 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Codbot-AB is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Codbot-AB spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
IMAIL Server
ASN.1 (MS04-007)
The backdoor component of W32/Codbot-AB connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
log keystrokes
Patches for the vulnerabilities exploited by W32/Codbot-AB can be obtained from Microsoft at:
MS04-011
MS04-012
MS04-007
MS05-039
W32/Codbot-AB is a network worm with backdoor Trojan functionality for the Windows platform.
W32/Codbot-AB spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
PNP (MS05-039)
IMAIL Server
ASN.1 (MS04-007)
When run, W32/Codbot-AB copies itself to the Windows system folder as a read-only, hidden, system file dfrgfat32.exe and registers itself as a service process with the following properties:
"Description"="Monitoring the defragmentating process."
"DisplayName"="Defragmentation Management Handler"
"ImagePath"=<System>\dfrgfat32.exe
The following registry entries are created to run dfrgfat32.exe as a service process each time the computer starts up:
HKLM\SYSTEM\CurrentControlSet\Services\FAT Defragmentation
<several entries>
W32/Codbot-AB also sets values under the following registry entries so that dfrgfat32.exe is also run when booting in safe-mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Minimal\FAT Defragmentation
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
Network\FAT Defragmentation
The backdoor component of W32/Codbot-AB connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
silently download, install and run new software
start an FTP server
send raw IRC commands
harvest system information
scan networks for vulnerabilities
log keystrokes
Patches for the vulnerabilities exploited by W32/Codbot-AB can be obtained from Microsoft at:
|
