|
Description:
This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, RPC Locator vulnerability, and the IIS5/WEBDAV buffer overrun exploit in order to propagate via the network.
For more information on these vulnerabilities are available at the following Microsoft pages:
This worm also has backdoor capabilities, which allow malicious users to compromise the target system by performing the following commands that are sent via Internet Relay Chat (IRC):
- Obtain system information, such as the following:
- CPU speed
- Size of memory
- Windows platform, build version and product ID
- Malware uptime
- Currently logged on user
- Disable network shares
- Terminate the malware
- Resolve IP or host name by DNS
- Retrieve malware status
- Execute a .EXE file
- Open a file
- Flush DNS cache
- Disable DCOM
- Disconnect/Reconnect from IRC server
- Change IRC server
- Join/leave an IRC channel
- Send a private message through IRC
- Update the malware through HTTP or FTP
- Download and execute a file from an HTTP or FTP server
- Restart machine
- Shutdown machine
- Logoff current user
- List all running processes
- Kill a process
- Flooding Routine
This malware runs on Windows NT, 2000 and XP systems only.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jan. 20, 2004 7:30:46 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
