Uses LSASS security hole.
It starts an FTP server on TCP port 5554 and so it spreads on other systems.
It collects IP addresses from the infected systems and generates new ones, similar to those collected.
Through TCP port 445, the worm contacts other systems, on which the LSASS security hole has not been patched. If the connection succeeds, a shell code is sent to the other system, for opening the TCP port 9996. If the shell code is used for reaching back to the infected computer, it switches on TCP port 5554 and the other 'clean' system gets a worm copy. This copy is named using 4 or 5 numbers, followed by _up.exe. For example: 74354_up.exe.
A mutex (Jobaka3l) ensures that there is no other active task of the worm on the system.
The worm is copied as %WinDIR%\avserve.exe and it makes the autostart registry entry:
It uses AbortSystemShutdown API, for hiding computer shut-down or restart.
The Lsass.exe process is ended after the worm has used Windows LSASS security hole. Windows displays a message and shuts the system down in a minute.
The worm creates the file C:\win.log, which contains the IP addresses of the computers it tried to infect and the number of infected systems.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二