|
Description:
This memory-resident worm spreads through network shares. It uses NetBEUI functions to get any available list of user names and passwords. It then searches for shared folders and drops a copy of itself using the gathered list.
It drops itself as SVCHOSTS.EXE in the Windows system folder and attempts to log on to systems using a list of user names and passwords, aside from the obtained network credentials.
Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
- RPC Locator Vulnerability
- IIS5/WEBDAV Buffer Overflow Vulnerability
- LSASS Vulnerability
For more information about the said Windows vulnerabilities, please refer to the following Microsoft Web pages:
This worm also has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot, which is capable of sending several malicious commands to be processed on a system. The said commands are basically categorized as bot, command manager, Cvar, IRC, redirect, and download commands.
It terminates antivirus-related programs and steals CD keys, serial numbers, and application product IDs of certain game applications.
It also modifies the HOSTS file to prevent an affected user from accessing several antivirus and security Web sites.
It is compressed using Morphine and runs on Windows NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 3, 2004 3:44:34 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
