Aliases: W95.Troc, W95.Bistro.dr
Variants: PE_TROC

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Oct 2000
Damage: Low

Characteristics: The W95.Bistro program is a memory resident virus that infects Win 32 executable files in the Windows directory and its subdirectories. Files are often corrupted once it has been infected by the W95.Bistro virus.

More details about W95.Bistro

The W95.Bistro program opens a backdoor via a TCP port. It then connects to its IRC server. It then joins a specific channel and waits to receive commands from its author. The RAT application can instruct the system to participate in a Denial of Service (DoS) attack. It can also scan the system, download files, upload information or steal confidential data. Some variants of this family may also be commanded to record log-in keystrokes typed in online forms fields for bank websites. Other members of the worm software family may also start FTP servers or disable system services. The infected system may be configured to act as a proxy server for an SMTP, HTTP or SOCKS4 protocol.

Variants of the W95.Bistro program reportedly attempt to connect to MS SQL servers using passwords from a list. These attempts may lead to network hacking. or user accounts being locked out. The worm applications are also able to download updates of its program. Some variants scan the system for running processes related to anti-virus software and terminate them. A rootkit file is also dropped and registered as a service.