Sophos

W32/Francette-Q

Aliases
  • Net-Worm.Win32.Francette.q
  • W32/Kvdbot.worm
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 1 March 2005 21:54:38 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<path to worm>

and delete it if it exists.

Close the registry editor.

More Information

W32/Francette-Q is network worm with keylogging and backdoor functionality for the Windows platform.

W32/Francette-Q attempts to log details from banking applications. W32/Francette-Q contains IRC backdoor functionality, allowing remote intruders unauthorised access to infected computers. W32/Francette-Q is network worm with keylogging and backdoor functionality for the Windows platform.

W32/Francette-Q attempts to log details from banking applications. W32/Francette-Q contains IRC backdoor functionality, allowing remote intruders unauthorised access to infected computers.

W32/Francette-Q spreads by exploiting the RPC-DCOM vulnerability,
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

W32/Francette-Q sets the following registry entry to run itself automatically each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<path to worm>

W32/Francette-Q also overwrites the Hosts file, directing access to the following websites to the local computer:

banesnet.banesto.es
extranet.banesto.es
ibank.barclays.co.uk
online-business.lloydstsb.co.uk
online.lloydstsb.co.uk
www.halifax-online.co.uk
www.nwolb.com
www.ukpersonal.hsbc.co.uk

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer