high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 22 February 2005 20:43:42 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows system folder>\SYSCFG16.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows DLL Loader
<Windows system folder>\SYSCFG16.EXE
and delete them if they exist.
Close the registry editor.
More Information
W32/Domwis-G is a network worm with backdoor functionality for the Windows platform that allows a malicious user remote access to an infected computer.
W32/Domwis-G can delete, download and execute remote files on the infected computer. The backdoor component can be used to send files to other IRC users.
The backdoor component can be used to flood other computers with internet traffic. To evade detection, the worm can spoof the IP address of the infected computer.
The backdoor component of W32/Domwis-G can steal system information, log keystrokes, create screen and webcam captures and send them to a remote user.
The backdoor component can also be used to scan other computers for open ports and for vulnerabilities in web and database servers. W32/Domwis-G is a network worm with backdoor functionality for the Windows platform that allows a malicious user remote access to an infected computer.
When first run, the worm copies itself to the Windows folder as a hidden file named SYSCFG16.EXE.
In order to run automatically each time Windows is started the worm sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
<Windows system folder>\SYSCFG16.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows DLL Loader
<Windows system folder>\SYSCFG16.EXE
W32/Domwis-G can delete, download and execute remote files on the infected computer. The backdoor component can be used to send files to other IRC users.
The backdoor component can be used to flood other computers with internet traffic. To evade detection, the worm can spoof the IP address of the infected computer.
The backdoor component of W32/Domwis-G can steal system information, log keystrokes, create screen and webcam captures and send them to a remote user.
The backdoor component can also be used to scan other computers for open ports and for vulnerabilities in web and database servers.
|
