|
Description:
This memory-resident worm may arrive from network shares. To propagate, it uses NetBEUI functions to get available lists of user names and passwords from a system. then It lists down available network shares and uses the gathered user names and passwords to access these shares and drop a copy of itself.
It also uses a list of user names and passwords apart from those that were gathered from the system.
It also generates IP addresses and attempts to drop a copy of itself in default shares of target systems.
It exploits the Windows LSASS flaw, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. More information on this vulnerability can be found in the following Web pages:
This worm has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot. It connects to an IRC server and then joins an IRC channel.
Once connected, this server program receives commands from the IRC bot. The bot inputs the commands in the IRC console and waits to receive information from the server. The said commands are used to control the target system and the behavior of the server program.
This worm is also capable of automatically notifying the bot of systems that have the following Microsoft Windows vulnerabilities:
-
RPC/DCOM vulnerability
-
RPC Locator vulnerability
-
IIS/WebDAV vulnerability
More information on these vulnerabilities can be found in the following Web pages:
This worm is also capable of gathering CD keys, serial numbers, and even application product IDs from certain software.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Sep. 11, 2004 6:33:46 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
