|
Description:
Trend Micro has flagged this worm as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, its ability to propagate via the Server service vulnerability.
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm may be downloaded unknowingly by a user when visiting malicious Web sites. It may also be dropped by other malware.
This worm creates registry entries, and executes only after meeting certain trigger conditions.
This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:
This worm also attempts to propagate through the internet via the same vulnerability using external IP addresses.
It creates a temporary .SYS file which is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using the said .SYS file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.
It modifies the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.
It creates a thread that opens a random port to communicate with a remote computer.
For additional information about this threat, see:
Solution
Technical Details
Description created: Apr. 8, 2009 6:23:45 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
