Malware type: Worm

Aliases: Backdoor.Win32.Rbot.gen (Kaspersky), W32/Sdbot.worm.gen.as (McAfee), W32.Spybot.Worm (Symantec), TR/Crypt.XPACK.Gen (Avira), W32/Rbot-Gen (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident worm propagates across networks by exploiting the following vulnerabilities:

• Buffer Overflow in SQL Server 2000 vulnerability
• LSASS vulnerability

For more information about the said Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS02-061
• Microsoft Security Bulletin MS04-011

It also propagates via network shares by dropping a copy of itself into several shared folders. It uses a list of user names and passwords to access affected machines.

This worm operates as an Internet Relay Chat (IRC) bot that connects to an IRC server. It then joins an IRC channel, where it waits for several commands from a malicious user.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 21, 2005 8:20:46 PM GMT -0800
Description updated: Feb. 21, 2005 8:20:49 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.