[virusinfo] W32/Codbot-AG
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Tue, 28 Jun 2005 16:17:28 -0700
From; Sophos Alert System:
Name: W32/Codbot-AG
Aliases: WORM_SDBOT.BLH, Backdoor.Win32.Codbot.ag, W32.Toxbot
Type: Win32 worm
Date: 28 June 2005
Sophos has issued protection for W32/Codbot-AG.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Codbot-AG can be found at:
http://www.sophos.com/virusinfo/analyses/w32codbotag.html
W32/Codbot-AG is a network worm with backdoor functionality for the Windows
platform.
W32/Codbot-AG can spread to remote network shares protected by weak passwords
and to computers vulnerable to common exploits, including the RPC-DCOM, LSASS
and MSSQL vulnerabilities. The following patches for the operating system
vulnerabilities exploited by W32/Codbot-AG can be obtained from the Microsoft
website:
MS02-039
MS04-011
MS04-012
W32/Codbot-AG can be controlled by a remote attacker via the IRC network. The
attacker can issue commands to download and run further malicious code, steal
passwords and system information and sniff packets from the local network.
W32/Codbot-AG copies itself to the Windows system folder with the filename
dhcpclient.exe.
On NT-based versions of Windows (NT,2000,XP) the worm registers itself as a
service process named Ulead Service with a displayname of DHCP Client and a
start-type of automatic so that the worm is run on computer login. Registry
entries are created under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP_CLIENT
<several entries>
HKLM\SYSTEM\CurrentControlSet\Services\DHCP Client
<several entries>
W32/Codbot-AG also creates the following registry entries in order to run as a
service process in safe mode:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client
(default)
Service
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DHCP Client
(default)
Service
The W32/Codbot-AG virus identity file (IDE) includes detection for:
WM97/Esele-A
http://www.sophos.com/virusinfo/analyses/wm97eselea.html
Troj/Capedown-A
http://www.sophos.com/virusinfo/analyses/trojcapedowna.html
Troj/Banito-F
http://www.sophos.com/virusinfo/analyses/trojbanitof.html
Troj/Lofler-A
http://www.sophos.com/virusinfo/analyses/trojloflera.html
Troj/Siggy-A
http://www.sophos.com/virusinfo/analyses/trojsiggya.html
Troj/BeastDo-Y
http://www.sophos.com/virusinfo/analyses/trojbeastdoy.html
Troj/Webdrop-A
http://www.sophos.com/virusinfo/analyses/trojwebdropa.html
Troj/Dumaru-H
http://www.sophos.com/virusinfo/analyses/trojdumaruh.html
Troj/Small-EM
http://www.sophos.com/virusinfo/analyses/trojsmallem.html
Troj/Divo-A
http://www.sophos.com/virusinfo/analyses/trojdivoa.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Codbot-AG from:
http://www.sophos.com/downloads/ide/codbo-ag.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Codbot-AG
