Sophos

W32/Nackbot-D

Aliases
  • Backdoor.Agobot.jy
  • W32.Randex.gen
Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 5 April 2004 13:37:55 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Renaming the registry editor

  • Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
  • Rename the copy of Regedit.exe to Regedit.com.
  • At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Digital Clock = msclock.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Digital Clock = msclock.exe

and delete them if they exist.

Close the registry editor.

More Information

W32/Nackbot-D is a peer-to-peer (P2P) worm which spreads via shared folders and has IRC backdoor functionality.

When run the worm copies itself to the Windows System (or System32) folder as the file MSCLOCK.EXE. To ensure that the worm is run each time Windows is started W32/Nackbot-D creates the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Digital Clock = msclock.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Digital Clock = msclock.exe

W32/Nackbot-D attempts to spread to randomly chosen IP addresses. The worm attempts to access the C$, D$, E$ and Admin$ shares of the target computer using a list of passwords contained within the worm. The worm then copies itself to the Windows System (or System32) folder on the target computer as MSCLOCK.EXE.

W32/Nackbot-D contains backdoor components which can be controlled by a remote attacker via IRC. The backdoor functions include the ability to launch a distributed denial-of-service attack (DDoS).

W32/Nackbot-D searches for the following virus, anti-virus and security-related processes and terminates them if they are running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTI-TROJAN.EXE
ANTITROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
COMMVIEW.EXE
COMMVIEW32.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EETHERCAP.EXE
EETHERCAP32.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
ETHERCAP.EXE
ETHERCAP32.EXE
EXPLORER32.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
MSBLAST.EXE
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2.2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZLCLIENT.EXE
zlclient.exe
ZONEALARM.EXE

W32/Nackbot-D can also be used to steal the Windows Product ID and the CD keys from several computer games including:
Half-Life
Counter-Strike
Unreal Tournament 2003
Unreal Tournament 2004
Project IGI 2
Battlefield 1942
Battlefield: Vietnam
Battlefield 1942: Road To Rome
Rainbow Six III RavenShield
Neverwinter Nights
Soldier of Fortune II - Double Helix
Need For Speed Hot Pursuit 2
FIFA 2003
Command & Conquer: Generals

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer