W32.Esbot.A


Aliases: CME-354, Win32.Esbot.{A, B}, Backdoor.Win32.IRCBot.es, W32/IRCbot.gen, W32/Sdbot-ACG
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 15 Aug 2005
Damage: Medium

Characteristics: W32.Esbot.A is a worm that exploits and attacks Microsoft Windows Plug and Play Buffer Overflow Vulnerability. It only affects Windows 2000 Operating System; thus, contamination as well as distribution is minimal. Several mutex files are also constantly being created. These are known as mousebm, mousemm, and mousesync. These mutexes ensures that only one copy of the worm runs on the compromised computer. Furthermore, if these mutexes are present, the worm duplicates itself, also copying the mutex’s filename and saves it on the windows system folder.

More details about W32.Esbot.A

The mutex' filename becomes “.exe” files. Another effect of this mutex is that it automatically runs itself as Mouse Button Monitor, which enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result to system instability. Another one is Mouse Movement Monitor and Mouse Synchronization. Text log file identified as dcpromo.log is also created . It is saved on windows directory folder. Remote attacking or hacking may also occur if this worm successfully connects with its hacker. The attacker may download and execute files, list, stop, and start processes and threads.

According to security program developers, the W32.Esbot.A program may be capable of producing a backdoor from one of the ports in a computer system. The port may be used to accommodate both incoming and outgoing transmission to and from the host machine. Remote users may potentially use this access point as a means to infiltrate the host machine to initiate Denial of Service (DoS) attacks or to use the infected system to attack other terminals, either on the Web or in a Local Area Network (LAN).