Malware type: Worm

Aliases: W32.Spybot.Worm(Symantec), W32/Forbot-FU(Sophos), PAK:UPack(Kaspersky), Worm/Gaobot.119296.1(Avira), W32/Sdbot.worm.gen.bg(McAfee)

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This is Trend Micro's generic detection for unknown forms of the WOOTBOT worms.

To propagate, WOOTBOT worms are known to exploit the LSASS vulnerability present on Windows systems. The said vulnerability is a buffer overrun vulnerability that allows remote code execution, present on Windows systems. Once this vulnerability is successfully exploited, a malicious user is able to gain full control over the target system.

Detailed information about this vulnerability is available from the following Microsoft page:

Microsoft Security Bulletin MS04-011

WOOTBOT variants are also known to propagate via network shares by using a list of user names and passwords. Moreover, it exhibits backdoor capabilities therefore compromises affected machines' security.

WOOTBOT worms like other bot worms usually operate as an IRC bot. They come with built-in Internet Relay Chat (IRC) client engines, enabling them to connect to an IRC channel and wait for commands from a malicious user. They process the commands on the local machine giving remote users virtual control over the infected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 22, 2004 2:51:19 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.