W32/Dedler-E

Aliases	Net-Worm.Win32.Dedler.u W32/Dedler.worm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	15 December 2004 14:48:12 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Dedler-E is a network worm with backdoor Trojan functionality.

W32/Dedler-E will connect to an ICQ chat server and await backdoor commands over the ICQ network. The worm is capable of downloading and running further executables.

W32/Dedler-E is capable of spreading to network shares protected by weak passwords.

W32/Dedler-E will attempt to disable anti-virus and security software and deny access to certain anti-virus websites. The worm will attempt to disable the Windows update service.

When first run, W32/Dedler-E will copy itself to the Windows system folder as CSMRS.EXE. In order to run automatically each time a user logs on, W32/Dedler-E will set one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MsgApi
<path to worm EXE>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsInstaller
<path to worm EXE>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WIN95DEFVIEW
<path to worm EXE>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VC5MediaPlayer
<path to worm EXE>

W32/Dedler-E will attempt to disable and delete the following security related services:

Network Client Monitor
Network Client
kavsvc
SAVScan
Symantec Core LC
navapsvc
wuauserv

In order to deny access to certain anti-virus websites, W32/Dedler-E will overwrite the HOSTS file found in the <SYSTEM>\drivers\etc folder. The new HOSTS file will redirect network traffic intended for anti-virus websites back to the computer. For example,

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com

W32/Dedler-E will then connect to login.icq.com and wait for further backdoor commands over the ICQ chat network.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Dedler-E

Summary

Action

More Information