Malware type: Worm

Aliases: W32/Sdbot.worm.gen.t (McAfee), W32.Bropia.J (Symantec), Worm/Bropia.F.1 (Avira), W32/Rbot-VH (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident worm spreads by dropping copies of itself in several network shared folders, using cached user names and passwords to gain access. It may also use a long list of user names and passwords, apart from those it gathers.

This worm also exploits the following Windows vulnerabilities to propagate:

• SQL Server Buffer Overflow vulnerability
• IIS/WEBDAV vulnerability
• RPC/DCOM vulnerability
• LSASS vulnerability

More information about these vulnerabilities can be found on the following pages:

• Microsoft Security Bulletin MS02-061
• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS04-011

This worm is also able to detect systems installed with DameWare, as well as those affected by the following malware variants:

• BKDR_KUANG
• BKDR_NETDEVIL
• BKDR_OPTIX
• BKDR_SUB7
• WORM_BAGLE
• WORM_MYDOOM

It has backdoor capabilities, and may execute commands coming from a remote malicious user. It also steals the Windows Product ID, as well as the CD keys of certain applications.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 2, 2005 5:37:29 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.