W32/Vanebot-M

Please follow the instructions for removing worms.

W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger W32/Vanebot-M is a worm for the Windows platform. W32/Vanebot-M also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-M spreads:
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-M may spread with the filename redworld.exe, redworld2.exe or <random numbers>_redworld2.exe.

When first run W32/Vanebot-M copies itself to <Windows system folder>\dllcache\dragonage.exe.

The file dragonage.exe is registered as a new system driver service named "Dragon Age - Bioware", with a display name of "Dragon Age - Bioware" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Dragon Age - Bioware\

W32/Vanebot-M sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Vanebot-M attempts to terminate a number of processes related to security and anti-virus applications.