high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | January 2006 (4.01) |
| Protection available since | 16 November 2005 01:42:16 (GMT) |
| Last updated | 21 November 2005 12:47:38 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Doxpar-E is a network worm with password stealing capabilities for the
Windows platform.
W32/Doxpar-E spreads to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011).
W32/Doxpar-E will spy on a user's internet access and attempt to steal banking
related details. The worm will attempt to terminate certain security-related
services.
When first run W32/Doxpar-E copies itself to <System>\<random filename>.exe and
creates the following files:
\boot.sys
<System>\<random>.dll
The file boot.sys is detected by Sophos's anti-virus product as Troj/Padodor-Y
and the file <random>.dll is detected by Sophos's anti-virus product as
W32/Doxpar-C.
The following registry entry is created to run code exported by the worm
library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
DBGA0EEG
(54206BCE-0715-687D-5BFC-660B572D5F06)
The file Laabph32.dll is registered as a COM object, creating registry entries
under:
HKCR\CLSID\(54206BCE-0715-687D-5BFC-660B572D5F06)
|
