Description:
This memory-resident worm propagates via network shares. It searches for several shared folders, where it attempts to drop a copy of itself. It also uses a list of user names and passwords to gain access to password-protected shares.
It also takes advantage of the following Windows vulnerabilities to propagate across networks:
- RPCSS vulnerability
- Windows LSASS vulnerability
For more information regarding the said vulnerabilities, refer to the following Microsoft Web pages:
This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) client, which allows it to connect to the IRC server irc.t3musso.net. It then opens a random port and waits for commands from a remote malicious user. The said routine provides the remote malicious user virtual control over affected systems, thus compromising system security.
It is also capable of launching a denial of service (DoS) attack using certain flooding methods.
Moreover, it uses a Carnivore network sniffer to retrieve passwords and other sensitive information by checking for character strings in network packets.
In addition, this worm terminates several processes from the system's memory, which are mostly associated with other malware (such as WORM_NETSKY, WORM_MYDOOM, and WORM_BAGLE variants), firewall applications, and antivirus software.
For additional information about this threat, see:
Solution
Technical Details
Description created: Dec. 2, 2005 8:15:43 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
