Description:
This worm propagates via network shares. It does the said routine by dropping a copy of itself in the IPC$ folder, which is a default share. If the share is password-protected, it uses a list of user names and passwords to gain access.
It also takes advantage of the SQL Server 7.0 Service Pack Password vulnerability to propagate across networks. For more information regarding the said vulnerability, refer to the following Microsoft Web page:
Moreover, this worm usually arrives on a system as a file downloaded from the Internet by unsuspecting users when visiting malicious Web sites, or as a file dropped by other malware.
Upon execution, it drops a copy of itself as SYMMEC.EXE in the Windows system folder. It also drops a file named JPB.EXE, which is detected by Trend Micro as BKDR_IRCBOT.TY, in the root folder (usually C:\). It then creates a particular registry entry so that it automatically executes whenever Windows restarts.
It also has backdoor capabilities. It opens random TCP ports and waits for several commands from a remote malicious user. Once a connection is established, it executes the said commands locally, such as termination of processes and logging of keystrokes, effectively compromising the affected system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Mar. 1, 2007 2:48:20 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
