Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.q (McAfee), W32.Spybot.Worm (Symantec), TR/Crypt.XPACK.Gen (Avira), Mal/EncPk-U (Sophos), Trojan:Win32/Ircbrute (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, and XP

Encrypted: No

Description: 

This memory-resident worm propagates via network shares.

Similar to earlier SDBOT variants, it takes advantage of the following Windows vulnerabilities:

• Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
• RPC Locator Vulnerability
• IIS5/WEBDAV Buffer Overflow Vulnerability

For more information about the said Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS03-001
• Microsoft Security Bulletin MS03-007

It drops itself as SVXHOST.EXE in the Windows system folder and attempts to log on to systems using a list of user names and passwords.

This worm also has backdoor capabilities. It opens a varied port and connects to a particular Internet Relay Chat (IRC) server. It then joins an IRC channel to receive malicious commands, which it processes on a system. It also steals CD keys of certain game applications.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 3, 2004 12:34:51 AM GMT -0800
Description updated: Jul. 6, 2004 10:07:44 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.