TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MEDBOT.AI
Overview
Solution

Malware type: Worm

Aliases: Trojan.Horst(Symantec), Troj/Horst-Fam(Sophos), Trojan-Proxy.Win32.Horst.aj(Kaspersky), BDS/Agent.ix.5.B(Avira), W32/Methodbod.gen(F-Prot), BackDoor-CMQ(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via network shares

Description: 

NOTE: This worm is part of a complex attack initiated by the MEDBOT family. The attack employs multiple components that work together to achieve a common goal. Read a comprehensive description of the malware family here: The MEDBOT Menace.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_MEDBOT.AI Behavior Diagram

Malware Overview

This worm spreads by dropping a copy of itself and an autorun installation file in available and unprotected network shared folders.

Using a random port, it connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. This routine compromises system security and opens the affected machine to further attacks.

It also disables certain services found running in memory.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 23, 2006 12:28:08 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.