high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | November 2006 (4.11) |
| Protection available since | 6 September 2006 08:16:19 (GMT) |
| Last updated | 3 October 2006 08:05:58 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-J spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Vanebot-J is a worm and IRC backdoor Trojan for the Windows platform.
W32/Vanebot-J spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Vanebot-J runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Vanebot-J copies itself to <System>\glossary.exe.
The following registry entries are created to run glossary.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RBot v2 with NetAPI exploit traded with billgates I gave my mother Greetz - OG - Bluehell Irc Server
<System>\glossary.exe
The following registry entries are changed to run glossary.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\glossary.exe
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\glossary.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
W32/Vanebot-J sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
|
