|
Description:
This memory-resident worm propagates via network shares. It searches for certain shared folders, where it attempts to drop copies of itself. If the said shares have restricted access rights, it uses a hardcoded list of common user names and passwords.
It then creates registry entries to ensure its automatic execution at every Windows startup.
It also modifies a certain registry entry as part of its installation routine. It is also capable of downloading other malware, such as TROJ_LOWZONE.G.
This worm also takes advantage of the following Windows vulnerabilities to propagate:
- RPCSS Service Vulnerability
- Windows LSASS Vulnerability
For more information regarding these vulnerabilities, refer to the following Microsoft Web pages:
This worm also has backdoor capabilities. Using a random port, it acts as an Internet Relay Chat (IRC) bot that connects to a remote IRC server. It then joins a specific IRC channel, where it listens for certain commands coming from a remote malicious user.
It also terminates certain processes and allows remote malicious users to launch various forms of denial of service attack.
It also attempts to steal CD keys of certain popular games as well as the Windows product registration key.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 1, 2005 10:24:12 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
