W32.Blatic.A


Aliases: P2P-Worm.Win32.SpyBot.fa, W32/Spybot.worm.gen.a, W32/WarPigs-C, Worm/Spybot.27.AC, Worm/Mumu.B.4
Variants: Trojan-Spy.Win32.SpyBoter.dt, Win32.IRC.Bot.based, Worm:Win32/SpyBot, Possible_Virus, Backdoor.SDBot.B8A7CFB6

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 Jan 2005
Damage: Medium

Characteristics: The Worm W32.Blatic.A program is another network aware variant which like most malware in its category relies on vulnerable network shares to infect computer systems. This particular trace is capable of initiating a backdoor to provide its malicious author control over the infected machine.

More details about W32.Blatic.A

This Worm is very particular that only one instance of its code should be running at any given moment. This is the reason why it makes use of a mutex to help it identify whether a computer system is already infected. Once the W32.Blatic.A program is executed in the host machine, it drops its codes into the iexplore.exe file which it places in the System folder of the Windows directory. The malware proceeds by checking for the presence of its mutex in the Windows Registry. If it is present, it will continue by downloading and executing predetermined files using the HTTP functionality of the operating system. It is highly likely that the Worm may attempt to update its codes if it finds any available. The W32.Blatic.A program will continue modifying the Windows Registry to make sure that it will be launched whenever the Web browser of the Windows Explorer is opened by the computer user.

The Windows Registry is also used by the malware to make sure that it automatically loads together with the Operating System. The boot section of the system.ini file is likewise modified accordingly by the W32.Blatic.A Worm to solidify its presence in the infected computer system. It checks for the presence of the $ADMIN network share and randomly uses password from a predefined list. Once the correct password is found, it will use the network share to spread its codes to attached network clients. The Worm has been identified to connect to the OlaGh IRC channel using the 6667 TCP port.