W32.Dizan


Aliases: W32.Dizan.F, Worm.Win32.Hipak.a, W32/Hipack.worm, PE_HIPAK.A, W32/Dzan-E, Virus:Win32/Hipak.A, W32.Dzan,Win32/Hipak.worm.65536
Variants: W32.Dizan.F

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Dec 2006
Damage: Medium

Characteristics: W32.Dizan is a virus with backdoor capabilities which allows propagation by infecting executable files. Its length varies but can be as long as 65, 000 bytes. It has the capabilities of modifying files by infecting and overwriting them.

More details about W32.Dizan

W32.Dizan spreads via network shares. To spread, it searches for and lists down accessible network shares, where it attempts to drop a copy of it. It connects to a specific server and operates as an IRC (Internet Relay Chat) bot. Once connected, it executes definite commands locally on affected machines, parting these machines’ security compromised. W32.Dizan connects to a range of IRC servers, and then connects with a channel that is tough code into its body. It is then ready to accept remote commands, such as executing and downloading remote files, acting as an IRC proxy server, sending messages via IRC, joining IRC channels, and sending UDP and ICMP packets to isolated computers.

This virus produces outbound traffic, creates a startup registry entry and definitely contains an identified security risk that can damage the computer system. Some removable files are modified to allow the presence of a PE-file infector. Upon execution of this virus, the W32.Dizan program creates a file which is the %System%\mmc.exe or by default C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), and C:\Windows\System32 (Windows XP). Then it creates a service and two registry keys. Also, it adds a certain value to a registry subkey. This creation of files and values allow the worm to spread and infect executable files on all drives. Its backdoor capabilities open on port 3000.