Description:
This memory-resident worm propagates across networks by dropping a copy of itself into network shares. It also exploits the RPCSS Service vulnerability to propagate across networks. For more information about the said Windows vulnerability, refer to the following Microsoft Web page:
Upon execution, this worm drops a copy of itself in the Windows system folder as the file NTSYS32.EXE. It also drops its component file MSDIRECTX.SYS, which is detected by Trend Micro as TROJ_ROOTKIT.H, in the Windows system folder. This worm registers this rootkit as a service to hide its process, and thus avoid easy detection.
This worm also has backdoor capabilities. It opens a random port, allowing a remote user to access and perform malicious commands on an affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.
It launches a denial of service (DoS) attack against target systems using certain flooding methods. This prevents users from accessing the target site due to the large amount of traffic caused by flood attacks.
Furthermore, this worm modifies the HOSTS file to prevent an affected user from accessing specific Web sites.
It also terminates certain processes, most of which are related to antivirus and firewall applications. It also uses Carnivore network sniffer to retrieve passwords and other sensitive information by checking for certain strings in the network packets.
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 19, 2005 2:02:22 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
