Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm propagates by dropping copies of itself in the default network-shared folder IPC$. It initially tries to find a machine, connected to an already infected network, that accepts a blank password. Once it finds one, it drops and executes a copy of itself into the said machine.
It can also use the popular chat application AOL Instant Messenger (AIM) as another medium in spreading its copies to as many users as possible. Via AIM, this worm sends out instant messages containing a URL, where a copy of it can be downloaded, to all the contacts in an affected user's buddy list.
It is important to note that this worm takes advantage of a known vulnerability in Windows' Server Service to do the mentioned propagation routines. More information on the said vulnerability can be found in the following Microsoft Web page:
It opens random TCP ports to establish a connection with the IRC servers bniu.househot.com:18067 and/or ypgw.wallloan.com:18067. Once connected, it then acts as a backdoor allowing a remote malicious user to issue commands and gain privileges on the affected machine, thus effectively compromising system security.
This worm also either disables or restricts several system services to let its routines run without interference.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 12, 2006 8:27:50 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
