English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/RB.101376.14.B
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/RB.101376.14.B - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/RB.101376.14.B
Date discovered:
15/08/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
101.376 Bytes
MD5 checksum:
ff9b652337043bb7e46f94e50284204f
VDF version:
6.31.1.110
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Spybot.Worm
• Mcafee: W32/Sdbot.worm.gen.h
• Kaspersky: Backdoor.Win32.Rbot.gen
• TrendMicro: WORM_RBOT.CDS
• F-Secure: W32/Backdoor.EXW
• VirusBuster: Worm.RBot.CEK
• Bitdefender: Backdoor.SDBot.054EA1A5
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
Side effects:
• Downloads malicious files
• Registry modification
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\MSLSA32.exe
It deletes the initially executed copy of itself.
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
Exploit:
It makes use of the following Exploits:
–
MS04-011
(LSASS Vulnerability)
IP address generation:
It creates random IP addresses and tries to establish a connection with them.
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: ns1.gol**********.com.ar
Port: 65053
Server password: PASS
Channel: #g-scan#
Nickname: [0]USA|
%two-digit random character string%
Password: argrulex
Server: ns1.gol**********.com.ar
Port: 65053
Server password: PASS
Channel: #g-down1#
Nickname: [0]USA|
%two-digit random character string%
Password: argrulex
Server: ns1.gol**********.com.ar
Port: 65080
Server password: PASS
Channel: #g-down2#
Nickname: [0]USA|
%two-digit random character string%
Password: argrulex
– This malware has the ability to collect and send information such as:
• CPU speed
• Current user
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Size of memory
• System directory
– Furthermore it has the ability to perform actions such as:
• Download file
• Join IRC channel
• Kill process
• Leave IRC channel
Miscellaneous
Mutex:
It creates the following Mutex:
• st@ch3ndr4th-l4st-v3r
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• ASPack 2.12
See a brief description
here
.
Description inserted by Victor Tone on Thu, 25 Aug 2005 09:28 (GMT+1)
Description updated by Victor Tone on Mon, 29 Aug 2005 08:24 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/RB.101376.14.B
Print this page
.gif)
