Sophos

W32/Codbot-AG

Aliases
  • WORM_SDBOT.BLH
  • Backdoor.Win32.Codbot.ag
  • W32.Toxbot
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
  • Web downloads
Affected operating systems Windows
Protection available since 28 June 2005 22:33:34 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

More Information

W32/Codbot-AG is a network worm with backdoor functionality for the Windows platform.

W32/Codbot-AG can spread to remote network shares protected by weak passwords and to computers vulnerable to common exploits, including the RPC-DCOM, LSASS and MSSQL vulnerabilities.

W32/Codbot-AG can be controlled by a remote attacker via the IRC network. The attacker can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network. W32/Codbot-AG is a network worm with backdoor functionality for the Windows platform.

W32/Codbot-AG can spread to remote network shares protected by weak passwords and to computers vulnerable to common exploits, including the RPC-DCOM, LSASS and MSSQL vulnerabilities. The following patches for the operating system vulnerabilities exploited by W32/Codbot-AG can be obtained from the Microsoft website:

MS02-039
MS04-011
MS04-012

W32/Codbot-AG can be controlled by a remote attacker via the IRC network. The attacker can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network.

W32/Codbot-AG copies itself to the Windows system folder with the filename dhcpclient.exe.

On NT-based versions of Windows (NT,2000,XP) the worm registers itself as a service process named Ulead Service with a displayname of DHCP Client and a start-type of automatic so that the worm is run on computer login. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP_CLIENT
<several entries>

HKLM\SYSTEM\CurrentControlSet\Services\DHCP Client
<several entries>

W32/Codbot-AG also creates the following registry entries in order to run as a service process in safe mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client
(default)
Service

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DHCP Client
(default)
Service

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer