Malware type: Worm

Aliases: W32/Sdbot.worm, Win32.Rbot.CJB, Win32/RBot.85630!Worm

In the wild: No

Destructive: No

Language: English

Platform: Windows 98, NT, 2000, XP

Encrypted: No

Description: 

Upon execution, this worm drops a copy of itself as CRSSRS.EXE in the Windows system folder.

It takes advantage of the Windows vulnerabilities in the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS04-011

It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' default shares. If the said shares are password-protected, it uses gathered lists of user names and passwords as well as uses a hardcoded list of user names and passwords as its login credential to gain access.

It is an Internet Relay Chat (IRC) bot, which could execute various IRC commands.

It also accesses the following Web sites and downloads several spyware and adware applications:

• xdcc.yox{blocked}xy.com
• xdcc.mo-w{blocked}eed.com

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 29, 2005 3:46:08 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.