high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 11 May 2005 21:36:16 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the worm.
You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Doxpar-C is a network worm with password stealing capabilities.
W32/Doxpar-C will spy on a user's internet access and attempt to steal banking related details. The worm will attempt to terminate a number anti-virus and security-related services.
W32/Doxpar-C will attempt to spread through the LSASS (MS04-011) vulnerability. The following patches for the operating system vulnerabilities exploited by W32/Doxpar-C can be obtained from the Microsoft website:
When first run, W32/Doxpar-C will copy itself to the Windows system folder with a random name and drop the following files:
\BOOT.SYS - Troj/Padodor-Y
<Windows system folder>\<Random name>.EXE - W32/Doxpar-C
<Windows system folder>\<Random name>.DLL - W32/Doxpar-C
<Windows system folder>\<Random name>.DLL - Troj/Padodor-Y
<Windows system folder>\driver\NDISRD.SYS - clean network driver file
In order to run automatically each time the computer starts, W32/Doxpar-C will set the following registry entries:
HKCR\CLSID\{Random CLSID}\InprocServer32
(default)
<path to worm DLL>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
<random letters>
{Random CLSID}
W32/Doxpar-C will modify the security settings of Internet Explorer.
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against the main component of W32/Doxpar-C (detected as Troj/Padodo-Gen) since version 3.87.
|
