high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 21 March 2005 23:10:25 (GMT) |
| Last updated | 29 December 2005 23:27:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Hwbot-A is a network worm with IRC backdoor functionaility. W32/Hwbot-A is a network worm with IRC backdoor functionaility.
W32/Hwbot-A copies itself to the Windows system folder with the filename HWCLOCK.EXE and creates a service with the following characteristics so as to run itself on system startup:
Service Name: hwclock
Display Name: Hardware Clock Driver
Service Description: Enables a computer to save and restore system time information using the hardware clock. Stopping or disabling this service will result in system instability.
W32/Hwbot-A sets the following entries in the registry:
HKLM\software\microsoft\ole
enabledcom
"n"
HKLM\system\currentcontrolset\control\lsa
restrictanonymous
"1"
W32/Hwbot-A attempts to create a read-only file called DCPROMO.LOG in the DEBUG subfolder of the Windows folder to patch against certain network vulnerabilities.
W32/Hwbot-A connects to an IRC server and waits for instructions from a remote user. Possible instructions include downloading and execute further code or to spreading via network secruity exploits.
W32/Hwbot-A may attempt to inject code to delete itself into explorer.exe and may crash the infected computer during this process.
|
