Threat behavior
Win32/Codbot copies itself to the Windows folder or Windows system folder. The worm-copy file name depends on the variant. The worm may use the file name of a legitimate program, such as regedit.exe. The worm may register itself and run as a service with a display name and description that seem legitimate, such as display name "Registry Editor" and description "Handling all user and system made register changes." Some variants modify registry entries so the worm runs automatically even when Windows starts in safe mode.
Win32/Codbot connects to a specific IRC server and channel to receive commands from attackers. This can include commands to report its status to attackers, scan for unpatched computers on the network, join and leave IRC channels, download and run files using HTTP, open a TFTP or FTP server, and retrieve system information such as IP addresses and operating system version.
The worm spreads in two ways:
-
By copying itself to network shares. The worm may log on to the administrator account on a network share using weak passwords until it gains share access.
-
By exploiting various Windows vulnerabilities to copy itself to other computers. The worm scans random IP addresses to find computers that have not been patched for certain Windows vulnerabilities. This includes vulnerabilities described in the following Microsoft Security Bulletins MS02-039, MS02-061, MS03-007, MS03-026, MS04-011. For example, after using a weak administrator password on a SQL Server 2000 host, the worm can send a packet to the SQL Server Resolution Service to exploit the MS02-039 vulnerability. This allows the worm to create a remote command shell on the SQL Server host and use the shell to copy and run the worm there.
Prevention
