|
Description:
This worm spreads through network shares. It uses NetBEUI functions to gather available lists of user names and passwords. It uses these user names and passwords to access available network shares and drop a copy of itself in these shares.
It drops a copy of itself in the Windows system folder using the file name WSERV32.EXE.
This worm also uses a certain list of user names and passwords aside from those that it is able to gather. It also generates random IP addresses and attempts to drop a copy of itself in default folders of target addresses.
This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
It opens a varied port and connects to an Internet Relay Chat (IRC) server and joins an IRC channel to receive malicious commands. It also has the capability to automatically notify the IRC bot if any of the systems have the following Windows vulnerabilities:
- RPC/DCOM vulnerability
- RPC/Locator vulnerability
- WebDAV vulnerability
Information on these vulnerabilities are available in the following sites:
This worm arrives ASPACK2-compressed and runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jun. 9, 2004 2:43:11 AM GMT -0800
Description updated: Jun. 9, 2004 3:08:29 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
