Sophos

W32/Vanebot-S

Aliases
  • W32/Sdbot.worm!MS06-040
  • virus
  • Win32/IRCBot.UH
  • trojan
  • TSPY_GOLDUN.GH
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from November 2006 (4.11)
Protection available since 4 October 2006 22:42:32 (GMT)
Detected by All Sophos products

Action

More Information

W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also contains IRC backdoor Trojan functionality which allows a remote intruder to gain access and control over the computer.

W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC (MS06-040)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger

W32/Vanebot-S may spread with the filename redworld.exe, redworld2.exe or <random numbers>_redworld2.exe.

When first run W32/Vanebot-S copies itself to <Windows system folder>\dllcache\msiupdate32.exe.

The file msiupdate32.exe is registered as a new system driver service named "Microsoft update Service", with a display name of "Microsoft update Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft update Service\

W32/Vanebot-S sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Vanebot-S attempts to terminate a number of processes related to security
and anti-virus applications.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer