|
Description:
This worm propagates via network shares. It tries to force its way into a system by logging on using a list of user names and passwords. It drops a copy of itself as MSGFIX.EXE on successfully accessed shares.
It also has backdoor capabilities. It connects to port 6667 (a normal mIRC port) and joins a specific channel, where it listens for commands from a remote user. It executes the commands locally on the infected machine, providing remote users virtual control over affected systems.
It enables the malicious user to do any or all of the following:
- Download and execute files
- Get CD keys
- Get network information
- Get system information (CPU, RAM, Operating System, etc.)
- List and terminate threads
- Remove the backdoor
- Launch SYN flood
- Scan for NT shares
- Secure the system from common means of infection by:
- Deleting network shares (C$, D$, IPC$, ADMIN$)
- Disabling DCOM
- Send UDP or ICMP (ping) packets
- Send email messages
- Start SOCKS4 server
- Start TCP redirect on a port
- Update malware
It attempts to steal the CD keys of certain game applications.
This worm runs on Windows NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 12, 2004 8:46:01 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
