W32.Dopbot


Aliases: Backdoor.Win32.IRCBot.q, WORM_DOPBOT.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and spreading
Spreading: low
Geographical info: Europe and some part of Asia and US
Removal: Moderate
Platform: W32
Discovered: 03 Feb 2005
Damage: Medium

Characteristics: W32/Dopbot-A is a network worm having a backdoor functionality that attacks Operating system with the Windows platforms.

More details about W32.Dopbot

The W32/Dopbot-A program communicates and spreads through to remote network shares, computers infected by Optix Trojan. This Trojan was discovered on December 11, 2001. It is a backdoor Trojan authored in Delpho Language. It is made exclusively for computers susceptible to the LSASS exploit. With W32/Dopbot –A program in your computer, any unauthorized remote access to the infected computer via IRC channels is possible. With remote attackers accessing your system, they can download and run arbitrary files, scan your computer for vulnerability, flood computers via network and terminate useful process including your firewall and anti-virus functions. Aside from this, W32/Dopbot-A will also strengthen the computer system against more attacks and this is done by downloading a patch for the LSASS exploit from the Microsoft website and altering the computer’ security settings. When the W32/Dopbot worm is first run, it duplicates itself to the Windows system folder as “rund1132.exe” and then it will make some registry entries just to run automatically as the computer starts.

Another way that the W32/Dopbot hardens the computer from further attack is by downloading a patch for the LSASS exploit from the Microsoft website. After the patch has been downloaded in your system, it sets registry entries if they are not yet set. Accordingly, this program spreads rejection of service and back door capabilities by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun.