Sophos

W32/Esbot-A

Aliases
  • W32.Esbot.A
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Protection available since 17 August 2005 00:35:15 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Esbot-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Esbot-A spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).

W32/Esbot-A will connect to an IRC channel and wait for instructions. The Trojan component has the ability to do the following:

Download and Execute files
Execute DDoS attacks using a variety of methods
Search for files on the infected computer

When first run W32/Esbot-A copies itself to \mousesync.exe and creates the file \Debug\dcpromo.log which is harmless and can be deleted.

The file mousesync.exe is registered as a new system driver service named "mousesync", with a display name of "Mouse Synchronization" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\mousesync\

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Patch for the operating system vulnerability exploited by W32/Esbot-A can be obtained from Microsoft at:

MS04-011
MS05-039

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer