|
Description:
This worm arrives as B.EXE in the Windows system folder. It also drops MSDIRECTX.SYS, which is detected by Trend Micro as TROJ_ROOTKIT.H, in the same folder. It uses this Trojan to hide its process in the Windows Task Manager.
It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' IPC$ share. If the said share is inaccessible, it uses a list of user names and passwords hardcoded in its body.
It may also propagate by taking advantage of the following Windows vulnerabilities:
- The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
- The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011.
This worm connects to an IRC server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines. It also performs a distributed denial of service (DDoS) attack against target sites using different flood methods.
For additional information about this threat, see:
Solution
Technical Details
Description created: Apr. 20, 2005 7:42:54 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
