high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | December 2004 (3.88) |
| Protection available since | 16 August 2004 08:09:31 (GMT) |
| Last updated | 13 October 2004 07:25:23 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Apribot-C
More Information
W32/Apribot-C is an IRC backdoor with spreading capability.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The backdoor component then runs in the background as a server process, listening for commands to execute. The infected computer can be used to perform several functions: W32/Apribot-C is an IRC backdoor with spreading capability.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The backdoor component then runs in the background as a server process, listening for commands to execute. The infected computer can be used to perform any of the following functions:
- Proxy server (SOCKS4)
- FTP server
- SMTP server
- File system Manipulation
- Port scanner
- DDoS floods (TCP,UDP,SYN)
- Remote shell (RLOGIN)
- Key logger
When first run the worm copies itself to the Windows System folder under a randomly generated name. The copy may have some random data appended to it. In order for the copy to be run on startup, registry entries are created under random names in the following locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
The worm chooses from one or two of the following strings to form the filename:
SERV
DISK
STAT
LOAD
INI
SCAN
INIT
SRV
DSK
CONF
CFG
MON
DLL
VXD
CHK
REG
DRV
WIN
SYS
Stat
Load
Scan
Init
Service
Disk
Config
Monitor
Check
Reg
Drive
Win
System
The following entry is also created:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell = "Explorer.exe,[filename] -shell"
Many additional registry entries may be created, changed or deleted. In particular, many entries are created in the following registry locations:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
HKLM\SOFTWARE\Microsoft\Connect\
The following entries are set:
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
W32/Apribot-C may also attempt to disable debugging and firewall software.
The worm appends several lines to the HOSTS file, found in the drivers\etc subfolder of the Windows System folder. Each line consists of a randomly chosen IP address beginning with "127" and a web address. The worm appends this data in order to prevent access to a number of anti-virus and Microsoft web sites.
|
