|
Description:
This worm propagates by dropping copies of itself in the following network shares:
- ADMIN$\system32
- C$\Windows\system32
- C$\WINNT\system32
If these shared folders have restricted access rights, it uses a hardcoded list of user names and passwords to access them.
It also exploits the following vulnerabilities to propagate:
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
- Windows LSASS (Local Security Authority Subsystem Service) vulnerability
For detailed information about these vulnerabilities, refer to the following Microsoft pages:
This worm has a built-in Internet Relay Chat (IRC) client, which allows it to connect to an IRC channel using a random port. It then allows a malicious user to perform certain commands.
This worm steals Yahoo Messenger (YM) related information and the Windows product ID. It also steals the CD keys of popular game applications.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Dec. 28, 2004 8:12:26 AM GMT -0800
Description updated: Dec. 28, 2004 8:49:03 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
