Malware type: Worm

Aliases: Backdoor.Win32.VBbot.cf (Kaspersky), Generic BackDoor (McAfee), W32.Kelvir (Symantec), BDS/VBbot.CF.2 (Avira), Mal/EncPk-AO (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm arrives on a system as a dropped file of other malware. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

It drops a copy of itself and several non-malicious component files. It also modifies the affected system's registry to ensure its automatic execution at every system startup.

This worm spreads via MSN Instant Messenger. It lures users into clicking a link that points to a copy of itself.

It has backdoor capabilities. It opens a random port to allow a remote user to connect to the affected system. It then connects to an Internet Relay Chat (IRC) server to join an IRC channel. Once a successful connection is established, the remote user executes commands on the affected system. This action, in turn, compromises the affected system's security.

It modifies the affected system's Domain Name System (DNS) settings modifying a registry entry. The DNS is responsible for translating domain names into IP addresses. Modifying the DNS setttings, along with the system's Internet settings, allows the system to connect to possibly malicious Web sites.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 27, 2008 10:17:35 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.