Aliases: Worm.Win32.Francette.a, W32/Tumbi.worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 17 Nov 2003
Damage: Low

Characteristics: On November 17, 2003, a worm that exploited the DCOM RPC vulnerability and Microsoft IIS Web Server Folder Traversal vulnerability was discovered. This worm is W32.Francette.Worm which was written in Borland Delphi and packed with ASPack. The systems affected by this worm are Windows 2000, NT and XP.

More details about W32.Francette.Worm

W32.Francette.Worm mainly exploits two specific vulnerabilities: the DCOM RPC vulnerability and the Microsoft IIS Web Server Folder Traversal vulnerability. Syshost.exe is the file used by this worm. If it is executed, the worm adds a value to the system registry key. Afterwards, the worm creates a random IP address and attempts to connect to any generated IP addresses. After identifying that the computer is actively in use, the worm uses TCP port 135 to exploit the DCOMM RPC vulnerability. On the vulnerable host, the worm produces a remote shell and commands the compromised computer to use FTP. FTP is connected to an ftp server. Then, the worm downloads a version of itself as syshost.exe to be able to execute in the compromised computer. The worm does not stop exploiting there. It also exploits unpatched servers that run IIS with the use of the Microsoft IIS Web Server Folder Traversal vulnerability. Afterwards, nt_ddr.exe and syshost.exe files are downloaded to the C:\Winnt\System32 folder. After the execution of these two files, the worm connects to a certain IRC channel on TCP port 6669 or 6667 to be able to receive commands. The commands that will be given are the following: Perform Denial of Service (Does) Attacks, Execute commands, Download files, Scan for open ports on remote machines and Flood IRC channels.

The W32.Francette.Worm application installs its core components on the Windows system folder. The rootkit function of the program renames the installed files as critical Windows processes. This allows the application to avoid manual detection and removal by the user. The rootkit feature allows the program to function stealthily on the computer. It may terminate security tools installed on the computer such as personal firewalls and anti-malware tools. The W32.Francette.Worm program functions on Windows operating systems such as Windows 9x, Windows 2000 and Windows XP.