W32.Maniccum


Aliases: W32/Ixbot-G, W32/IRCbot.gen.b, Win32/Ixbot.H, Win32/Maniccum.A!Worm, W32/Maniccum.worm
Variants: W32/Ircbot.CV, Win32.Ixbot.H, WORM_MANICCUM.A, Backdoor.Win32.Agent.vt

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Australia, North America
Removal: Easy
Platform: W32
Discovered: 07 Mar 2006
Damage: Medium

Characteristics: This computer threat belongs to a classification of malware that is known as Internet Relay Chat controlled backdoor or more commonly referred to as Bots. In this context the W32.Maniccum can be used to gain unauthorized and unobstructed access to the information and resources of the compromised machine. This malware can also display some functions that allows it to use Instant Messaging services as transport mechanisms for the spreading of its codes.

More details about W32.Maniccum

When executed this malware will generate a randomly named executable file into the directory folder of the operating system. This file is a copy of the W32.Maniccum codes which serves as its main trigger file. A corresponding entry in the Windows Registry will be created by the threat to make sure that it is executed in the infected computer system every time the operating system is loaded. To complicate its detection and removal from the infected computer system the W32.Maniccum will use the Windows Registry to terminate all processes that are associated to security services and protocols. During the next boot up operation of the compromised machine all security applications and firewall services may fail to execute. The W32.Maniccum will continue to lower security settings.

The malicious author hard coded specific text strings into the body of the W32.Maniccum which are used as reference for processes that need to be terminated. When established in the compromised system, services and processes that contain the text string will be terminated immediately after the operating system is loaded. The W32.Maniccum may not give an indication of the termination which leads to a false sense of security. The W32.Maniccum will attempt to connect to an Internet Relay Chat server using the TCP port 5190. This communication port will be used to wait for additional instructions from the remote attacker.