|
Description:
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as the file, FILEN.EXE.
It spreads via network shares. It searches for and lists down shared folders, where it drops a copy of itself. It also generates IP addresses.
Each successfully dropped copy of this worm is remotely executed as a service.
This worm also has backdoor capabilities. It connects to a remote IRC (Internet Relay Chat) server and joins a specific IRC channel, where it receives malicious commands coming from a remote user. The remote user may then perform several malicious commands on the infected system.
This worm also takes advantage of the following Windows vulnerabilities to propagate:
- The Windows LSASS Vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. More information on this vulnerability is found in Microsoft Security Bulletin MS04-011.
- The Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
Affected users, including those who have already applied the MS03-026 patch, are strongly advised to apply the new patch available from the following Microsoft page:
More information about this vulnerability is also available from the cited page.
This worm also performs a denial of service (DoS) attack by performing flood methods against target IP addresses.
It also terminates certain processes that are related to antivirus applications, and are assumed components of previously hot malware (i.e., WORM_MSBLAST, WORM_NETSKY, WORM_BAGLE).
For additional information about this threat, see:
Solution
Technical Details
Description created: Jun. 30, 2005 3:59:42 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
