Malware type: Worm

Aliases: Backdoor.Win32.DsBot.bu (Kaspersky), W32/Sdbot.worm.gen.h (McAfee), W32.Spybot.Worm (Symantec), Worm/SdBot.121344.14 (Avira), Mal/Packer (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP

Encrypted: No

Description: 

This worm uses NetBEUI functions to get available lists of user names and passwords, which it uses to access a target system and drop a copy of itself in network shares.

It also generates IP addresses and attempts to drop a copy of itself in the following target address's default shares:

• ADMIN$\System32
• C$\Windows\System32
• C$\WINNT\System32
• IPC$

It takes advantage of the following Windows vulnerabilities:

• IIS5/WEBDAV Buffer Overflow vulnerability
• Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
• Windows LSASS Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS04-011

This worm also has backdoor capabilities. It connects to a remote IRC (Internet Relay Chat) server and joins a specific IRC channel, where it receives commands coming from a malicious user.

It performs the following distributed denial of service (DDoS) attacks:

• HTTP flood
• Ping flood
• SYN flood
• UPD flood

It is also capable of gathering CD keys, serial numbers, and even application product IDs of certain game applications.

It runs on Windows XP and 2000.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 15, 2004 6:13:02 AM GMT -0800
Description updated: Sep. 15, 2004 6:37:22 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.