Sophos

W32/Poebot-T

Aliases
  • WORM_POEBOT.T
  • W32.Spybot.Worm
  • W32/Poebot.gen
  • Backdoor.Win32.PoeBot.d
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 3 December 2005 15:50:08 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Poebot-T is a worm for the Windows platform.

The worm spreads through network shares protected by weak passwords and through operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), Veritas (CAN-2004-1172) and Dameware (CAN-2003-1030).

The backdoor component of W32/Poebot-T connects to a predefined IRC server and awaits commands from remote attackers.

Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Poebot-T (detected as W32/Poebot-Gen) since version 3.97. W32/Poebot-T is a worm for the Windows platform.

When run, W32/Poebot-T copies itself to the Windows system folder as lssas.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Local Security Authority Servce
"<Windows system folder>\lssas.exe"

The backdoor component of W32/Poebot-T connects to a predefined IRC server and awaits commands from remote attackers. The backdoor component can then be instructed to perform various functions, such as:

- download and install files from remote sites
- open a SOCKS4 proxy server
- steal passwords from protected storage areas
- allow remote shell access
- take part in distributed denial of service (DDoS) attacks
- scan network computers for vulnerabilities
- steal registration information for certain software
- network packet sniffing

The worm spreads through network shares protected by weak passwords and through operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), Veritas (CAN-2004-1172) and Dameware (CAN-2003-1030).

Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Poebot-T (detected as W32/Poebot-Gen) since version 3.97.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer