|
Description:
To propagate, this worm exploits the Windows LSASS flaw, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.
More information on this vulnerability can be found in the following Web pages:
This worm uses NetBEUI functions to get available lists of user names and passwords in a system. It then lists down the available network shares and uses the gathered user names and passwords to access and drop a copy of itself in these shares. It also uses a list of passwords and user names apart from those that were gathered from the system.
It also generates IP addresses and attempts to drop a copy of itself in default shares of target systems.
This worm also has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot. To do this, it connects to an IRC server and then joins an IRC channel, where it waits for commands from the IRC bot.
It is also capable of automatically notifying the bot of systems that have the following Microsoft Windows vulnerabilities:
-
RPC/DCOM vulnerability
-
RPC Locator vulnerability
-
IIS/WebDAV vulnerability
More information on these vulnerabilities can be found in the following links:
This worm is also capable of launching a denial of service (DoS) attack. It is also capable of gathering CD keys, serial numbers, and even application product IDs from certain software products.
It runs on Windows NT, 2000, and XP
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 21, 2004 9:20:42 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
