|
Description:
This memory-resident AHKER variant propagates using three techniques to rapidly spread copies of itself to target victims. One technique is propagation via email messages. It arrives on a system as an email attachment, which is downloaded from the following Web sites:
- http://geocities.com/batr<BLOCKED>hitab/Server.zip
- http://geocities.com/batr<BLOCKED>hitab/ahkere.zip
This worm sends copies of itself through email messages, using Simple Mail Transfer Protocol (SMTP).
This worm also propagates via peer-to-peer (P2P) file sharing networks. To do this, it drops copies of itself in a system's shared folders using interesting file names in order to entice other users to download a copy of this worm.
It uses Internet Relay Chat (IRC) for its third propagation technique. It drops a SCRIPT.INI file in the mIRC folder of the affected system, which enables this worm to send itself to all users who are in the same IRC channel as the affected user.
This worm has the ability to freeze most Windows security protection by modifying the certain registry entries. It can also ridirect users to the local machine whenever certain security and antivirus Web sites are accessed by the affected user. This worm can also terminate certain processes that are associated with popular malware programs and security applications.
This worm can perform the following payloads:
- Change the affected system's computer name
- Overwrite Microsoft Word program
- Launch a denial of service attack to www.windowsupdate.microsoft.com
For additional information about this threat, see:
Solution
Technical Details
Description created: Feb. 22, 2005 2:42:56 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
