Aliases: W32/Banwor.worm.dll, W32/Banwor.worm, Worm.Banwor
Variants: Worm.Win32.Banwor.b

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 18 Dec 2004
Damage: Low

Characteristics: The W32.Banwor is a backdoor worm capable of sending authentication information to a remote master and opening a backdoor on the compromised machine. It attempts to propagate by using the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.

More details about W32.Banwor

Once executed in the infected system, the W32.Banwor program will create the files hwin16.dll, hwin32.dll, hwinsys32.dll, scan.exe, and syshost.exe in the C:\ Windows folder. It will then add to the registry subkey certain values to allow the security threat to execute when the system boots up. The gathered authentication details, such as usernames and passwords, IP addresses, clipboards contents and Outlook’s mail address, and mail server settings will be sent by the worm to the address mr_dj@scynix.com. It will then open an FTP server on the TCP port 21 and attempt to propagate by taking advantage of the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. This vulnerability is in a component of the Remote Procedure Call or RPC which deals with message exchange across TCP/IP.

Accordingly, an error occurs because of erroneous managing of malformed messages. This specific vulnerability has an effect on a DCOM interface with RPC that listens to RPC designated ports. This DCOM interface manages activation requests of DCOM objects sent by client systems to the server. When an attacker successfully exploits the vulnerability, he will be capable of running a code with Local system privileges on the compromised machine. According to some research, the attacker (the author or creator) will also be able to install programs, view, delete or change data, and create new accounts with complete and special privileges.