Sophos

W32/Dedler-B

Aliases
  • W32/Dedler.worm.gen
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 15 November 2004 22:54:42 (GMT)
Last updated 10 December 2004 15:28:45 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VC5MediaPlayer = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WIN95DEFVIEW = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsInstaller = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsgApi = "<path to worm EXE>"

and delete them if they exist.

Close the registry editor.

More Information

W32/Dedler-B is a network worm with backdoor Trojan functionality.

W32/Dedler-B will connect to an ICQ chat server and await backdoor commands over the ICQ network. The worm is capable of downloading and running further executables.

W32/Dedler-B is capable of spreading to network shares protected by weak passwords.

W32/Dedler-B will attempt to disable anti-virus and security software and deny access to certain anti-virus websites.

When first run, W32/Dedler-B will copy itself to the Windows system folder as CSMRS.EXE. In order to run automatically each time a user logs on, W32/Dedler-B will set one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VC5MediaPlayer = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WIN95DEFVIEW = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsInstaller = "<path to worm EXE>"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsgApi = "<path to worm EXE>"

W32/Dedler-B will attempt to disable and delete the following security related services:

Network Client Monitor
Network Client
kavsvc
SAVScan
Symantec Core LC
navapsvc
wuauserv

In order to deny access to certain anti-virus websites, W32/Dedler-B will overwrite the HOSTS file found in the \drivers\etc folder. The new HOSTS file will redirect network traffic intended for anti-virus websites back to the computer. For example,

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com

W32/Dedler-B will then connect to login.icq.com and wait for further backdoor commands over the ICQ chat network.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer