[virusinfo] W32/Codbot-L
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 15 Jun 2005 15:29:16 -0700
From; Sophos Alert System:
Name: W32/Codbot-L
Aliases: Backdoor.Win32.Codbot.ae
Type: Win32 worm
Date: 15 June 2005
Sophos has issued protection for W32/Codbot-L.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Codbot-L can be found at:
http://www.sophos.com/virusinfo/analyses/w32codbotl.html
W32/Codbot-L is a worm with backdoor functionality for the Windows platform.
W32/Codbot-L can spread to weakly protected network shares, weakly protected
Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit.
The following patches for the operating system vulnerabilities exploited by
W32/Codbot-L can be obtained from the Microsoft website:
MS04-012
W32/Codbot-L runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels. The intruder can issue commands to download and run further
malicious code, steal passwords and system information and sniff packets from
the local network.
When first run W32/Codbot-L copies itself to <Windows system
folder>\rpcclient.exe.
W32/Codbot-L is registered as a new system driver service named "RpcClient",
with a display name of "Remote Procedure Call (RPC) Client" and a startup type
of automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\RpcClient\
Registry entries are set as follows:
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
HKLM\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
1
The W32/Codbot-L virus identity file (IDE) includes detection for:
Troj/Orse-D
http://www.sophos.com/virusinfo/analyses/trojorsed.html
Troj/LowZone-AO
http://www.sophos.com/virusinfo/analyses/trojlowzoneao.html
Troj/Bancos-CZ
http://www.sophos.com/virusinfo/analyses/trojbancoscz.html
Troj/Juntador-D
http://www.sophos.com/virusinfo/analyses/trojjuntadord.html
Troj/Juntador-E
http://www.sophos.com/virusinfo/analyses/trojjuntadore.html
W32/Rbot-AFJ
http://www.sophos.com/virusinfo/analyses/w32rbotafj.html
Dial/GBDial-B
http://www.sophos.com/virusinfo/analyses/dialgbdialb.html
W32/LameYear-A
http://www.sophos.com/virusinfo/analyses/w32lameyeara.html
W32/Rbot-AFO
http://www.sophos.com/virusinfo/analyses/w32rbotafo.html
W32/Mytob-FD
http://www.sophos.com/virusinfo/analyses/w32mytobfd.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Codbot-L from:
http://www.sophos.com/downloads/ide/codbot-l.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Codbot-L
