W32.Loxbot.A


Aliases: Worm/IRCBot.HZ, W32/Oscarbot.DH.wor, Backdoor.Ircbot.HZ
Variants: Backdoor.Win32.IRCBot.hz, W32/Sdbot.worm.gen.h, BackDoor.Oscar

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Moderate
Geographical info: Asia, Australia, North America
Removal: Hard
Platform: W32
Discovered: 17 Oct 2005
Damage: Medium

Characteristics: One of the most compromising functionalities of the W32.Loxbot.A is its ability to create an unprotected backdoor in a compromised machine that will allow a remote attacker to hijack it. This Worm makes use of rootkit techniques in order to conceal its background running processes from being detected by system monitoring tools. Instant Messaging clients can also be used by this threat to spread its infection to other computer systems.

More details about W32.Loxbot.A

When the W32.Loxbot.A is executed into a vulnerable computer system it will initially creates an executable file copy of itself into the directory folder of the operating system. It will generate a new key value for the executable file in order to attain the ability to automatically load with the operating system at every restart or boot up instance of the compromised machine. The W32.Loxbot.A will use the Windows Registry in order to illegally and discretely terminate the running firewall service of the operating system. This means that the computer system becomes more open to external threats. The W32.Loxbot.A will target the Internet Connection Sharing, Shared Access, and Security Center services of the operating system. It will install a driver to activate its rootkit feature.

The W32.Loxbot.A will create two separate services for the SYS format files that are used as its driver files. In the same manner this malware will generate a new key value for the newly created services. The backdoor function will allow W32.Loxbot.A to contact Internet Relay Chat servers using the TCP port 9515. This will provide the malicious author with the capability to attack the Internet Relay Chat server. The W32.Loxbot.A can use this communication port to download and arbitrarily execute potentially dangerous codes. It provides the malware with the capability to upgrade its features with new command sets.