|
Description:
This memory-resident worm drops a copy of itself as HE3.EXE in the Windows system folder. Once the said dropped file is active, this worm terminates its original dropped file.
It propagates by dropping copies of itself into accessible network shares. It also uses a list of user names and passwords to gain access to other systems in the network.
This worm takes advantage of the following Windows vulnerabilities to propagate:
• WebDav Buffer Overflow vulnerability
• Buffer Overrun In RPCSS Service vulnerability
• LSASS Remote Buffer Overflow vulnerability
For more information regarding these vulnerabilities, refer to the following Microsoft Web pages:
This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot that allows it to connect to a specific IRC Server. It then waits for certain commands from a remote malicious user.
This worm performs distributed denial of service (DDoS) attacks against target Web sites by performing several flood attacks.
It also gathers CD keys, serial numbers, and application product IDs. It steals the said information from several software products installed on the system.
This worm also terminates certain processes running on the system's memory. Moreover, it modifies the HOSTS file, which contains host name to IP address mappings. It appends lines to the said file to prevent the user from accessing several antivirus-related Web sites.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 4, 2005 1:33:16 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
