Remove W32.Codbot.AL

      


 

 

 

W32.Codbot is a worm that has been popping up throughout the net. It exploits the SQL Sever LSASS and RPC-DCOM process.

W32.Codbot.AL masquerades as a system process which allows it to be run when the system boots up. Once running it connects to Internet Relay Chat (IRC) where it can take command to control you sytem.

 

SHOW ALL HIDDEN FILES:

Windows 95
• Open My Computer.
• Select the View menu and click Options.
• Select the View Tab.
• Select the Show all files Radio Button.
• Click OK.
Windows 98
• Open My Computer.
• Select the View menu and click Folder Options.
• Select the View Tab.
• In the Hidden files section select Show all files.
• Click OK.
Windows ME (Get rid of this horrible OS)
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
• Click Start, Programs and Accessories and open Windows Explorer.
• Select a hard drive from the left hand side of the Windows Explorer window.
• Select View the Entire contents of this drive.
Windows 2000
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
Windows XP
• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Boot into SAFE MODE

Getting into Safe Mode on Window is easy.

Reboot your computer and HIT the “F8” Funtion key like crazy. If it doesn’t, work try again. The system should allow you to choose what mode you want to
boot in. You want “Safe Mode” or “Safe Mode with Networking.” MORE ON SAFE MODE

Once you are in Safe Mode you will be able to delete W32.Codbot.

Once in Safe Mode locate wzdsvc.exe and delete it. It is located in system32 (the Windows root folder). Once a virus is in your system32 you have been "owned."

C:\WINDOWS\system32\wzdsvc.exe

 

References:

SOPHOS Details of W32.Codbot

Beeping Computer Removing W32.Codbot w/Hijackthis

 

 

 

       

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.