BackDoor.Generic3.MCR, Backdoor.VanBot.i, Backdoor.Win32.VanBot.e, BDS/VanBot.E, Generic.Sdbot.71C86B81
W32/Sdbot-COV, W32/SdbotX.KON, W32/VanBot.A, Win32/Duiskbot.A, Win32:IRCBot-ABW
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
28 Aug 2006
The W32.Woredbot program is a network aware worm that has back door abilities. This worm spread via exploiting the MS Windows Server Service Remote Buffer Overflow Vulnerability that is described in Microsoft Security Bulletin MS06-040.
W32.Woredbot Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Woredbot from your computer.
More details about W32.Woredbot
The W32.Woredbot.C worm enables unauthorized access on contaminated computer making use of backdoor. The worm uses the MS Windows Server Service Remote Buffer Overflow Vulnerability. When W32.Woredbot is accessed, it duplicates itself as “%System%\dllcache\mscom.exe”. It makes a service w/ these properties: Display Name: "MSCom" and Image Path: %System%\dllcache\mscom.exe. The makes a registry subkey to make the service stated above. W32.Worebot.C changes the value in the registry key to disable the Shared access in Windows XP/2000. It also changes the value in the registry key to prevent avoid NULL session identification of the host. Then the worm changes the value once again in the registry key to disable DCOM. The W32.Woredbot.C tries to stop the processes that have strings such as “anti”, “viru”, “troja”, “avp”, “nav”, “rav”, “reged”, “nod32”, “spybot”, “zonea”, “vsmon”, “avg”, “blackice”, “firewall”, “lockdown”, “f-pro”, “mcafee”, “Norton”, “sniff”, “kill”, “proc”, “kav”, “hijack” and etc.
The worm has the capability to open a back door via IRC server on TCP port 4915. This will allow commands that a remote attacker could execute on your compromised computer. The remote attacker could steal personal information entered into your system and spreads the information to other PCs via sending URL links through MSN, AOL Instant Messenger, Yahoo Messenger, and ICQ.