Malware type: Worm

Aliases: Backdoor.Win32.Wootbot.gen (Kaspersky), W32/Sdbot.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Worm/WootBot.126976 (Avira), W32/Forbot-AC (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP

Encrypted: No

Description: 

This memory-resident worm has both worm and backdoor capabilities.

It propagates by dropping a copy of itself into accessible network shares. It logs on to other machines using the current user’s account. On execution, it drops a copy of itself as SETVER32.EXE in the Windows system folder.

It also takes advantage of the following Windows vulnerabilities:

• RPC/DCOM Buffer Overflow vulnerability
• IIS5/WEBDAV vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS03-007

It also acts as an IRC (Internet Relay Chat) bot that connects to a specific server. Once connected, it listens for commands coming from a remote user giving the user virtual control over the affected machine. It also steals the Windows product ID and the CD keys of certain game applications.

It runs on Windows 2000 and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 14, 2004 9:07:34 PM GMT -0800
Description updated: Oct. 7, 2004 2:39:11 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.