Description:
This particular WORM_SDBOT variant is Trend Micro's detection for the "Santa worm" malware that is currently spreading in the wild.
It takes advantage of the following Windows vulnerabilities to propagate across networks:
- ASN.1 vulnerability
- Windows Plug and Play vulnerability
The said vulnerabilities are discussed in detail on the following Web pages:
The propagation via the Microsoft Windows Plug and Play vulnerability, however, works only on Windows NT and 2000 because the said vulnerability has inherent characteristics that prevent this worm from exploiting the vulnerability on Windows XP and Server 2003.
Upon execution, it drops a copy of itself as WINRPC.EXE in the Windows folder.
It disables automatic Windows update, various Security Center functions, and firewall settings by modifying the several registry entries.
This worm also has backdoor capabilities. It opens random ports and connects to an IRC server. It then joins an IRC channel, where it receives malicious commands from a remote user. It executes the said commands locally on an affected system, thus compromising system security.
Part of this worm's backdoor capabilities is waiting for a specific command from a remote user for it to be able to propagate via the AOL Instant Messenger (AIM) application. It sends an instant message to contacts found in the affected user's chat application. The said instant message contains a link that when clicked downloads a copy of this worm on the target system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Dec. 21, 2005 2:23:28 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
