| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Medium |
| |
| Name | Backdoor.Win32.IRCBot.es |
| Type | Spyware Worm |
| How it spreads | Network Shares |
| Affected operating systems | Windows |
| Aliases | W32/Sdbot-ACG, W32.Esbot.A |
| Date of surface | 16 August 2005 |
Description |
This is a spyware worm for the Windows platform.
It spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039) and LSASS (MS04-011).
Backdoor.Win32.IRCBot.es runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Backdoor.Win32.IRCBot.es includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- inject itself into the Windows explorer process to stealth itself
The following patches for the operating system vulnerabilities exploited by Backdoor.Win32.IRCBot.es can be obtained from the Microsoft website:
MS05-039
MS04-011
|
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
This is a spyware worm for the Windows platform.
It spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039) and LSASS (MS04-011).
Backdoor.Win32.IRCBot.es runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Backdoor.Win32.IRCBot.es includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- inject itself into the Windows explorer process to stealth itself
The following patches for the operating system vulnerabilities exploited by Backdoor.Win32.IRCBot.es can be obtained from the Microsoft website:
MS05-039
MS04-011
When first run W32/Sdbot-ACG copies itself to "System"\mousebm.exe and "System"\mousemm.exe.
The file mousebm.exe is registered as a new system driver service named "mousebm", with a display name of "Mouse Button Monitor" and a startup type of automatic, so that it is started automatically during system startup. And the file mousemm.exe is registered as a new system driver service named "mousemm", with a display name of "Mouse Movement Monitor" with similar automatic startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mousebm\
Backdoor.Win32.IRCBot.es creates the file \Debug\dcpromo.log which can be deleted.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
|
|
|
|
|
| |
|
|
|