high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 18 February 2005 21:09:58 (GMT) |
| Last updated | 21 February 2005 04:37:10 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Codbot-D is a network worm with backdoor functionality for the Windows platform.
W32/Codbot-D may spread to remote network shares and computers vulnerable
to common exploits, including the LSASS exploit (MS04-011) and the RPM-DCOM exploit (MS04-012).
W32/Codbot-D connects to a preconfigured IRC server when an internet connection is available and awaits instructions from a remote attacker. The worm can be commanded to sniff network traffic, download further code, send itself to random IP addresses, start an FTP server and steal passwords and system information.
W32/Codbot-D copies itself to the Windows system folder with the filename "nbthelp.exe".
On NT-based versions of Windows (XP,2000,NT) the worm registers itself as a service process named "Netbios Helper" with a displayname of " Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution." and a start-type of automatic. This creates registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\Netbios Helper\
W32/Codbot-D deletes processes and registry entries associated with previous
versions of the worm, if these exist.
The worm also creates the following registry entries to ensure that the
worm is run as a service process even when the computer is booted in
Safe Mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netbios Helper\
(default)
Service
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netbios Helper\
(default)
Service
|
