Malware type: Worm

Aliases: Backdoor.Win32.Rbot.aeu (Kaspersky), W32/Sdbot.worm.gen.g (McAfee), W32.Spybot.Worm (Symantec), Worm/Rbot.AAH (Avira), Mal/IRCBot-B (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, 2000, NT, ME, XP

Encrypted: No

Description: 

This memory-resident worm propagates via network shares.

It uses a list of weak passwords to access shared folders and log on to the infected machine. It drops a copy of itself as the file WINGAMED.EXE in the Windows system folder.

(Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

This worm attempts to connect to an Internet Relay Chat (IRC) server, which allows a remote user to access and perform several malicious routines on a system. It also tries to steal CD keys of several game applications.

It can detect if certain malware are running in the system. It can also terminate certain processes.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 2, 2004 5:28:50 AM GMT -0800
Description updated: Jul. 5, 2004 8:30:50 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.