TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_RBOT.CQZ
Overview
Solution

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.bg (McAfee), W32.Randex (Symantec), RKIT/Fu.2 (Avira), W32/Sdbot-Fam (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via network shares

Infection Channel 2 : Propagates via software vulnerabilities

Description: 

This memory-resident worm propagates across networks by dropping copies of itself into network shares. It logs on to password-protected systems using a list of user names and passwords.

It also drops the Trojan file named MSDIRECTX.SYS, which Trend Micro detects as TROJ_ROOTKIT.H.

This worm is capable of the following:

  • Compromise system security by connecting to an Internet Relay Chat (IRC) server, where it listens for malicious commands from a remote user
  • Perform Distributed Denial of Service (DDos) attacks by launching various ping attacks
  • Terminate processes usually related to antivirus, security, and firewall application. It also terminates specific processes related to other malware
  • Modify HOSTS file, thus, preventing the affected system from visiting various antivirus related Web sites

Moreover, it propagates across networks by exploiting the RPCSS Buffer Overrun vulnerability. More information regarding this vulnerability is found in the following Web page:

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 10, 2005 7:52:23 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.