|
Description:
This memory resident worm takes advantage of the following vulnerabilities to propagate across the network:
- WebDAV vulnerability
- Remote Procedure Call (RPC) Distributed
Component Object Model (DCOM) vulnerability
- Windows LSASS vulnerability
For more information about these Windows vulnerabilities,
please refer to the following Microsoft Web pages:
The malware drops copies of itself into network shares
by logging in using a long list of user names and passwords.
Upon receiving a connection, it opens a random port through which it sends a copy of itself.
This malware operates as an IRC bot that connects to the server BLEH.YOTTA-BYTE.NET through port 8000, where it listens for commands from a remote user. It executes the commands locally on the infected machine, providing remote users virtual control over affected systems.
It terminates certain antivirus-related processes and steals the Windows product ID and the CD keys of certain game applications.
It also disables access to certain antivirus Web sites by modifying the Windows HOSTS file.
It runs on Windows 2000, XP, and NT.
For additional information about this threat, see:
Solution
Technical Details
Description created: May. 2, 2004 7:53:01 PM GMT -0800
Description updated: May. 3, 2004 11:29:31 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
