high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 31 October 2005 09:09:43 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Ixbot-C is a worm and IRC backdoor Trojan for the Windows platform.
W32/Ixbot-C runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Ixbot-C spreads using AOL Instant Messenger and opens a backdoor on TCP port 5190.
When first run W32/Ixbot-C copies itself to the Windows System folder as a randomly generated filename.
The following registry entry is created to run W32/Ixbot-C on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Proc992
<path to worm executable>
Registry changes may also be made under:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
W32/Ixbot-C also attempts to remove the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAVPersonal50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
McAfee Guardian
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
|
