Sophos

W32/Codbot-N

Aliases
  • Backdoor.Win32.Codbot.ag
  • W32.Toxbot
  • WORM_SPYBOT.ABN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 27 June 2005 12:45:42 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.

More Information

W32/Codbot-N is a worm and IRC backdoor Trojan for the Windows platform.

W32/Codbot-N runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Codbot-N is a worm and IRC backdoor Trojan for the Windows platform.

W32/Codbot-N runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Codbot-N copies itself to <System>\dfrgfat16.exe.

W32/Codbot-N is registered as a new system driver service named "Defragmentation Manager", with a display name of "Managing FAT and NTFS partitions" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Defragmentation Manager\

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer