Description:
This worm propagates via networks by dropping copies of itself into default shares. It also takes advantage of the Windows Plug and Play vulnerability to propagate across networks. The said vulnerability is discussed in detail on the following Microsoft Web page:
Its propagation techniques ensure its distribution to a lot of vulnerable systems.
Note that the propagation routine via the said vulnerability runs on a system through port 445. The said routine works only on Windows 2000 because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting the vulnerability on Windows XP and Server 2003.
Upon execution, this worm drops a copy of itself as MOBSYNC.EXE in the Windows folder. It also drops a .SYS file detected by Trend Micro as TROJ_ROOTKIT.N, which is designed to hide this worm, in the Windows system folder.
This worm is capable of disabling automatic Windows update, various security center functions, and Firewall by modifying the registry.
Using random ports, it connects to a particular Internet Relay Chat (IRC) server and joins a specific channel, where it listens for commands from a remote malicious user. It executes the said commands locally on an affected system, thus compromising system security.
For additional information about this threat, see:
Solution
Technical Details
Description created: Nov. 7, 2005 2:06:08 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
