Description:
This memory-resident worm arrives on a system as a dropped file of WORM_DREFIR.F. When executed, it also drops a file Trend Micro detects as BKDR_HACDEF.BI. This worm uses the dropped backdoor's rootkit technology in order to hide its process, thus avoiding easy detection.
It spreads through the popular peer-to-peer (P2P) file-sharing application Kazaa by dropping copies of itself in the %System%\Programs folder using attractive file names. It then modifies the system registry to set the abovementioned folder into a Kazaa shared folder, thus allowing other users to download the worm copies into their systems.
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003.)
It also takes advantage of the following Windows vulnerabilities to propagate across networks:
- RPC/DCOM vulnerability
- ASN.1 vulnerability
- LSASS vulnerability
For more information about these vulnerabilities, please refer to the following Microsoft pages:
This worm has backdoor capabilities, and may execute commands coming from a remote malicious user. The said routine provides the remote user virtual control over the affected machine, thus compromising system security.
Moreover, this worm terminates several processes, and prevents affected users from accessing antivirus Web sites by adding entries in the system's HOSTS file.
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 18, 2005 11:10:48 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
