W32.HLLW.Polybot
The W32.HLLW.Polybot
worm spreads via shared folders e.g. Kazaa's My
Shared Folder and allows an attacker to access the
infected computer.
| What
it does: |
Exploits the following Microsoft vulnerabilities:
(Please refer to the above links to download
the patches for your respective Windows
operating system)
Allows an attacker to access the infected
computer and carry out the following activities:
- Download and execute files
- Gather email addresses
- Steal system information and CD-keys
for various software
Stops various antivirus and firewall processes.
|
| Systems Affected: |
Windows 95, Windows 98, Windows
ME, Windows NT, Windows 2000, Windows Server
2003 and Windows XP |
| |
|
| Symptoms: |
Suspicious traffic on port 6667
to an IRC server
A file with either soundman.exe or confgldr.exe
in its name
A service named either Configuration Loader
or SoundMan which runs on startup |
| |
|
| For more technical details such
as registry changes, please refer to W32.HLLW.Polybot. |
| |
|
| Removal Tools: |
Please refer to
the removal instructions from Symantec. |
|
|
