Description:
This worm spreads via network shares, and takes advantage of the Windows vulnerabilities whose descriptions are found in the following Microsoft Web pages:
It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' default shares. If the said shares are password-protected, it uses gathered lists of user names and passwords as well as a hardcoded list of user names and passwords as its login credentials to gain access.
Using random TCP and UDP ports, this worm connects to the Internet Relay Chat (IRC) server, fuck.syn-flood.us. Once a connection is established, it joins the IRC channels, #keylog and #sniff, where it listens for certain commands from a remote malicious user.
It performs denial of service (DoS) attacks against target sites using different flood methods. It also terminates certain processes found running in memory. This worm launches the Carnivore sniffer to retrieve passwords from network packets by searching for certain strings.
Moreover, on NT-based systems, it prevents user access to several antivirus and security Web sites by redirecting connection to the local machine.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jan. 29, 2006 6:17:35 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
