Win32/Codbot

By copying itself to network shares. The worm may log on to the administrator account on a network share using weak passwords until it gains share access.

By exploiting various Windows vulnerabilities to copy itself to other computers. The worm scans random IP addresses to find computers that have not been patched for certain Windows vulnerabilities. This includes vulnerabilities described in the following Microsoft Security Bulletins MS02-039, MS02-061, MS03-007, MS03-026, MS04-011. For example, after using a weak administrator password on a SQL Server 2000 host, the worm can send a packet to the SQL Server Resolution Service to exploit the MS02-039 vulnerability. This allows the worm to create a remote command shell on the SQL Server host and use the shell to copy and run the worm there.