high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 7 September 2005 06:24:39 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Codbot-X is a network worm with backdoor Trojan functionality for the Windows platform.
When run, W32/Codbot-X copies itself to the Windows system folder as spooler.exe and registers itself as a service process with the display name "Print Spool Handler".
The backdoor component of W32/Codbot-X connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
start an FTP server
log keypresses
download and execute arbitrary files
harvest system information
list/start/stop processes
W32/Codbot-X spreads through network shares and through various operating system vulnerabilities such as the following:
ASN.1 (MS04-007)
IMAIL Server
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
The following patches for the operating system vulnerabilities exploited by W32/Codbot-X can be obtained from the Microsoft website:
MS04-011
MS04-012
MS05-039
MS04-007
W32/Codbot-X is a network worm with backdoor Trojan functionality for the Windows platform.
When run, W32/Codbot-X copies itself to the Windows system folder as spooler.exe and registers itself as a service process with the display name "Print Spool Handler". The following registry entries are created to run spooler.exe as a service process each time the computer starts up:
HKLM\SYSTEM\CurrentControlSet\Services\Print Spooler
<several entries>
W32/Codbot-X also sets values under the following registry entries so that spooler.exe is also run when booting in safe-mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Print Spooler\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Print Spooler\
The backdoor component of W32/Codbot-X connects to a predetermined IRC channel and awaits further commands from a remote user. The backdoor component can be instructed to perform various functions, including:
start an FTP server
log keypresses
download and execute arbitrary files
send raw IRC commands
harvest system information
steal passwords
scan networks for vulnerabilities
list/start/stop processes
W32/Codbot-X spreads through network shares and through various operating system vulnerabilities such as the following:
ASN.1 (MS04-007)
IMAIL Server
LSASS (MS04-011)
PNP (MS05-039)
RPC-DCOM (MS04-012)
The following patches for the operating system vulnerabilities exploited by W32/Codbot-X can be obtained from the Microsoft website:
|
