Sophos

W32/Codbot-M

Aliases
  • W32.Toxbot
  • Backdoor.Win32.Codbot.ae
  • W32/Sdbot.worm.gen.w
  • WORM_SDBOT.BJA
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 21 June 2005 13:54:26 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Codbot-M is a worm and IRC backdoor Trojan for the Windows platform.

W32/Codbot-M runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Codbot-M can spread to remote network shares and computers vulnerable to the following exploits: LSASS (MS04-011), RPC-DCOM (MS04-012) and MSSQL (MS02-039) (CAN-2002-0649). For patches for these vulnerabilities, see:

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

When first run W32/Codbot-M copies itself to <System>\netddeclnt.exe.

W32/Codbot-M is registered as a new system driver service named "NetDDEclnt", with a display name of "Network DDE Client" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NetDDEclnt\

W32/Codbot-M also creates the following registry entries in order to run as a service process in safe mode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NetDDEclnt

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEclnt

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer