W32.Basbot


Aliases: Net-Worm.Win32.SdBoter.d, W32/Sluter.worm.e, W32.Basbot, Worm/SdBoter.D, W32/Sdbot-Fam
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 Oct 2003
Damage: Low

Characteristics: The W32.Basbot malware is a network aware worm that will try to connect to a predefined IRC server to accept instructions from a remote hacker.

More details about W32.Basbot

The main function of this network-aware worm is to connect to a predetermined IRC server in order to receive instructions from its author. Once the malware W32.Basbot is run in the compromised computer system, it will automatically copy itself as the files C:\ You.exe and C:\ Windows\ System Cftmon_.exe. The worm will then calculate and try to connect to IP addresses randomly generated by the worm’s author. Next, the worm will copy itself in the location \\ IPC$\ Cftmon_.exe on systems that use weak usernames and passwords. It will then remotely schedule a job to execute the W32.Basbot program on the newly compromised machine. The worm will also modify certain registry keys by adding a certain value. The altered registry keys will permit the malware to run every time that the system starts.

This worm also drops the script C:\ Windows\ System\ Config.vbs and then run it to create the file C:\ Windows\ System\ Config.exe. The security risk will then execute the Config.exe and alter the Script.ini file in the folders C:\ Mirc, C:\ Progra~1\ Mirc, C:\ Mirc32, and C:\ Progra~1\ Mirc32 to allow the malware to propagate as the You.exe via mIRC. Lastly, it will connect to a particular IRC channel on a predefined IRC server to receive remote instructions from its author. Immediate removal is recommended.