Sophos

W32/Domwis-H

Aliases
  • BKDR_DOMWIS.C
  • Backdoor.Win32.Wisdoor.av
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 9 March 2005 09:12:51 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

W32/Domwis-H is a network worm which contains IRC backdoor Trojan functionality which allows a malicious user remote access to the infected computer.

W32/Domwis-H spreads via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Domwis-H can be instructed by a remote user to perform a variety of other tasks including to steal system information and log keystrokes, to download and execute remote files, and to get information about running processes and to terminate them. W32/Domwis-H is a network worm which contains IRC backdoor Trojan functionality which allows a malicious user remote access to the infected computer.

W32/Domwis-H copies itself to the Windows folder with the filename WINFRW.EXE and creates the following entry in the registry so as to run itself on system startup, resetting this value periodically:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows System Configuration
%WINDOWS%\WINFRW.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Security Updater
%WINDOWS%\WINFRW.EXE

W32/Domwis-H spreads via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

W32/Domwis-H can be instructed by a remote user to perform a variety of other tasks including to steal system information and log keystrokes, to download and execute remote files, and to get information about running processes and to terminate them.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer