|
Description:
This memory-resident worm may arrive from network shares. Upon execution, it drops a copy of itself in the Windows aystem folder as ANTI.EXE. It creates several registry entries to ensure its automatic execution at every Windows startup.
It also drops the file MSDIRECTX.SYS in the Windows system folder. Trend Micro detects this file as TROJ_ROOTKIT.H. This malware allows this worm to hide itself from Task Manager.
This worm propagates via network shares. It searches for certain network shares and attempts to drop copies of itself into these shares. If these shares have restricted access rights, it uses a list of strings as user names and passwords to gain access.
It also exploits the following Windows vulnerabilities to propagate across networks:
- Buffer Overflow in SQL Server 2000
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
- WebDAV Vulnerability
- LSASS Vulnerability
More information on these vulnerabilities can be found on the following Web pages:
This worm has backdoor capabilities. It acts as an IRC bot that connects to a remote IRC server and joins a specific IRC channel, where it listens for commands coming from a remote malicious user to perform certain routines. It executes these routines locally on an affected system, providing the remote user virtual control over the system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Mar. 9, 2005 6:54:44 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
