English
Deutsch
Español
Italian
Home
Virus Info
W32/Codbot.A.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
W32/Codbot.A.1 - Malware
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
W32/Codbot.A.1
Date discovered:
15/02/2005
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
50.176 Bytes
MD5 checksum:
6f6affa5a078d9c2b6a3633db7462745
VDF version:
6.29.00.125
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Codbot.A
• Mcafee: W32/Sdbot.worm.gen
• Kaspersky: Backdoor.Win32.Codbot.ab
• TrendMicro: WORM_CODBOT.B
• Sophos: Exp/MS04011-A
• Grisoft: BackDoor.Small.7.AT
• VirusBuster: Worm.Codbot.A
• Eset: Win32/Codbot.E
• Bitdefender: Worm.Sdbot.CNY
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Makes use of software vulnerability
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\upnp.exe
Registry
The following registry keys are added in order to load the service after reboot:
– HKLM\SYSTEM\CurrentControlSet\Services\UPnP Configuration
• "Type"=dword:00000110
• "Start"=dword:00000002
• "ErrorControl"=dword:00000000
• "ImagePath"="
%SYSDIR%
\upnp.exe"
• "DisplayName"="Universal Plug and Play Device Configuration"
• "ObjectName"="LocalSystem"
• "FailureActions"=
%hex values%
• "Description"="Handling all UPnP related system operations."
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• C$\windows\system32
• c$\winnt\system32
• ADMIN$\system32\
• ADMIN$
• print$
It uses the following login information in order to gain access to the remote machine:
– A list of usernames and passwords:
• Rendszergazda
• Beheerder
• amministratore
• hallintovirkailijat
• Administrat
• Administrateur
• administrador
• Administrador
• administrator
• Administrator
• ADMINISTRATOR
• Password
• password
Exploit:
It makes use of the following Exploits:
–
MS01-059
(Unchecked Buffer in Universal Plug and Play)
–
MS02-061
(Elevation of Privilege in SQL Server Web)
–
MS03-007
(Unchecked Buffer in Windows Component)
–
MS03-026
(Buffer Overrun in RPC Interface)
–
MS04-007
(ASN.1 Vulnerability)
–
MS04-011
(LSASS Vulnerability)
Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: 0x41.cyber**********
Port: 6556
Channel: #0x90
Nickname:
%nine-digit random character string%
Password: 3nt3r
Server: dev.lsa**********
Port: 6556
Channel: #0x90
Nickname:
%nine-digit random character string%
Password: 3nt3r
Server: dev.lsa**********
Port: 6556
Channel: #0x90
Nickname:
%nine-digit random character string%
Password: 3nt3r
Server: dev.mem**********
Port: 6556
Channel: #0x90
Nickname:
%nine-digit random character string%
Password: 3nt3r
– This malware has the ability to collect and send information such as:
• CPU speed
• Current user
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Information about running processes
• Size of memory
• Username
• Information about the Windows operating system
– Furthermore it has the ability to perform actions such as:
• Disable network shares
• Download file
• Enable network shares
• Kill process
• Perform network scan
• Start keylog
• Start spreading routine
• Terminate malware
• Terminate process
• Updates itself
Backdoor
The following port is opened:
–
%SYSDIR%
\upnp.exe on TCP port 21 in order to provide an FTP server.
Miscellaneous
Mutex:
It creates the following Mutex:
• 0x0_UPnP_0x0
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Description inserted by Irina Boldea on Tue, 16 May 2006 11:03 (GMT+1)
Description updated by Irina Boldea on Tue, 16 May 2006 11:23 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AT
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info W32/Codbot.A.1
Print this page
.gif)
