|
Description:
This memory-resident worm propagates via network shares and drops a copy itself as NEROASM.EXE in the Windows system folder.
Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
- RPC Locator Vulnerability
- IIS5/WEBDAV Buffer Overflow Vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
It also has backdoor capabilities. It opens a random port and connects to an Internet Relay Chat (IRC) server. It then joins an IRC channel, where it waits for several malicious commands to be processed on a system.
It also terminates several antivirus-related processes as well as modifies the HOSTS file to prevent an affected user from accessing several antivirus and security Web sites.
This Exe32pack-compressed worm runs on Windows NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 20, 2004 11:41:37 AM GMT -0800
Description updated: Aug. 20, 2004 6:51:24 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
