high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2006 (4.10) |
| Protection available since | 20 August 2006 14:46:20 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Vanebot-A.
More Information
W32/Vanebot-A is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm may display the following fake error message:
Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.
W32/Vanebot-A may download updates, steal information and terminate anti-virus applications. W32/Vanebot-A is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-A spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm may display the following fake error message:
Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.
W32/Vanebot-A may download updates, steal information and terminate anti-virus applications.
When first run W32/Vanebot-A copies itself to <System>\javanet.exe.
The following registry entries are created to run javanet.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Java for Windows XP & NT
javanet.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Java for Windows XP & NT
javanet.exe
The following registry entry is changed to run javanet.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe javanet.exe
(The default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup.)
W32/Vanebot-A sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,javanet.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKCU\Software\Microsoft\Windows
JavaNet
rBot v2 a.k.a. the next generation (working on winXP SP2)
|
