high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 13 April 2005 22:02:14 (GMT) |
| Last updated | 13 January 2006 10:33:39 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
More Information
W32/Codbot-K is a network worm with backdoor functionality for the Windows platform.
The worm connects to an IRC channel and listens for backdoor commands from a remote attacker. The backdoor functionality of the worm includes the ability to sniff packets, download further malicious code and steal passwords and other system information. W32/Codbot-K is a network worm with backdoor functionality for the Windows platform.
The worm connects to an IRC channel and listens for backdoor commands from a remote attacker. The backdoor functionality of the worm includes the ability to sniff packets, download further malicious code and steal passwords and other system information.
When first run, W32/Codbot-K copies itself to the Windows system folder as SCardClnt.exe and installs itself as a service with these attributes:
servicename = SCardClnt
displayname = "Smart Card Client"
imagepath = <Windows system folder>SCardClnt.exe
W32/Codbot-K may make the following change to the system registry:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
W32/Codbot-K may attempt to exploit a number of vulnerabilities, including the LSASS vulnerability (MS04-011).
Patches for the operating system vulnerability exploited by W32/Codbot-K can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
|
