|
Description:
This worm drops a copy of itself as FILESS.EXE in the Windows system folder with attributes set to hidden, system, and read only. It may also drop the file SHOX.TXT which is a log file of the worm’s keylogging routine.
It modifies the registry so that it will start automatically every time Windows starts.
It propagates through network shares. It attempts to access network shares by using a predefined list of user names and passwords.
It exploits the following Windows vulnerabilities:
- IIS/WebDAV vulnerability
- Remote Procedure Call (RPC)/ Distributed Component Object Model (DCOM) vulnerability
- Windows LSASS vulnerability
More information can be found on the following pages:
This worm has backdoor capabilitis. It starts an Internet Relay Chat (IRC) bot that gives a remote malicious user control over the infected machine.
It uses a network sniffer to get user names and passwords over the network. It also performs denial of service (DoS) attacks.
It also steals the Microsoft Windows product ID and CD keys of several popular games.
For additional information about this threat, see:
Solution
Technical Details
Description created: Mar. 27, 2005 5:51:17 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
