|
Description:
This memory-resident worm spreads via network shares. It attempts to get into systems by using a list of hardcoded user names and passwords.
Once logged on, it drops copies of itself in the following paths:
- ADMIN$\system32\winupdate.exe
- C$\Documents and Settings\All Users\Documents\winupdate.exe
- C$\shared\winupdate.exe
- C$\windows\system32\winupdate.exe
- C$\winnt\system32\winupdate.exe
- C$\winupdate.exe
- IPC$\winupdate.exe
- PRINT$\winupdate.exe
It has backdoor capabilities. It connects to an Internet Relay Chat (IRC) server, mrlsd.redirectme.net, and joins the channel #jtencule. It then awaits for commands from a remote malicious user. It also steals CD keys of popular game applications.
It runs on Windows NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 14, 2004 11:43:20 AM GMT -0800
Description updated: Jul. 14, 2004 12:43:57 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
