|
Description:
This worm propagates via network shares. Upon execution, it drops a copy of itself in the default Windows system directory with the file name CRSVVC.EXE. It then modifies the registry to ensure its automatic execution during every system startup.
This worm uses NetBEUI functions to steal available lists of usernames and passwords. It then lists down the available network shares. It then uses the stolen usernames and passwords to drop a copy of itself into the network shares. It also generates IP addresses and attempts to drop a copy of itself to the target default shares.
This worm also takes advantage of the following vulnerabilities to propagate into accessible systems:
- The Buffer Overflow in SQL Server 2000 Vulnerability
- The RPCSS Vulnerability
- The Windows LSASS Vulnerability
For more information about the said Windows vulnerabilities, please refer to the following Microsoft Web pages:
This worm also performs a backdoor routine. It connects to a remote IRC server and joins a specific IRC channel where it receives commands coming from a remote malicious user. It is also capable of gathering CD keys, serial numbers, and even application product IDs.
Also, this worm can perform Denial of Service (DoS) attacks.
For additional information about this threat, see:
Solution
Technical Details
Description created: May. 17, 2005 6:04:38 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
