Sophos

W32/Codbot-L

Aliases
  • Backdoor.Win32.Codbot.ae
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 15 June 2005 21:12:09 (GMT)
Last updated 18 January 2006 13:31:23 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Codbot-L is a worm with backdoor functionality for the Windows platform.

W32/Codbot-L can spread to weakly protected network shares, weakly protected Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit.

The following patches for the operating system vulnerabilities exploited by W32/Codbot-L can be obtained from the Microsoft website:

MS04-012

W32/Codbot-L runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The intruder can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network. W32/Codbot-L is a worm with backdoor functionality for the Windows platform.

W32/Codbot-L can spread to weakly protected network shares, weakly protected Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit.

The following patches for the operating system vulnerabilities exploited by W32/Codbot-L can be obtained from the Microsoft website:

MS04-012

W32/Codbot-L runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The intruder can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network.

When first run W32/Codbot-L copies itself to <Windows system folder>\rpcclient.exe.

W32/Codbot-L is registered as a new system driver service named "RpcClient", with a display name of "Remote Procedure Call (RPC) Client" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\RpcClient\

Registry entries are set as follows:

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer