high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 September 2005 06:07:29 (GMT) |
| Last updated | 31 October 2005 23:01:18 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Codbot-Y is a network worm with backdoor Trojan functionality for the Windows platform.
The backdoor component of W32/Codbot-Y connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
start an FTP server
log keypresses
download and execute arbitrary files
send raw IRC commands
harvest system information
steal passwords
scan networks for vulnerabilities
W32/Codbot-Y spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
IMAIL Server
ASN.1 (MS04-007)
Patches for the vulnerabilities exploited by W32/Codbot-Y can be obtained from Microsoft at:
MS04-011
MS04-012
MS04-007
W32/Codbot-Y is a network worm with backdoor Trojan functionality for the Windows platform.
When run, W32/Codbot-Y copies itself to the Windows system folder as a read-only, hidden, system file netddesrv.exe and registers itself as a service process with the display name "NetDDE Server", the service name "NetDDEsrv" and the description "Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers."
The following registry entries are created to run netddesrv.exe as a service process each time the computer starts up:
HKLM\SYSTEM\CurrentControlSet\Services\NetDDEsrv
W32/Codbot-Y also sets values under the following registry entries so that netddesrv.exe is also run when booting in safe-mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEsrv
The backdoor component of W32/Codbot-Y connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
start an FTP server
log keypresses
download and execute arbitrary files
send raw IRC commands
harvest system information
steal passwords
scan networks for vulnerabilities
W32/Codbot-Y spreads through network shares and through various operating system vulnerabilities such as the following:
LSASS (MS04-011)
RPC-DCOM (MS04-012)
IMAIL Server
ASN.1 (MS04-007)
Patches for the vulnerabilities exploited by W32/Codbot-Y can be obtained from Microsoft at:
|
