W32.Moubot


Aliases: BKDR_MOUBOT.A 
Variants: Backdoor.Win32.SdBot.ak, Backdoor.SdBot.ak, W32/Sdbot.worm.gen, Win32.IRC.Bot.based, W32/Sdbot-Fam 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 19 Jul 2003
Damage: Medium

Characteristics: The W32.Moubot malware is a network aware worm that is compressed using UPX. This security risk also has a backdoor component that permits its remote author access to the infected machine via IRC or Internet Relay Chat. This worm targets machines that have poorly configured security settings. It also looks for program or operating system exploits to penetrate a target machine.

More details about W32.Moubot

Once launched in the compromised computer system. The W32.Moubot worm will copy itself as a file with the .exe file extension. It will also add a value to a particular registry key so that the malware will run when Windows is started. This backdoor worm will then generate arbitrary IP addresses for systems to infect. The worm then tries to authenticate itself to the generated IP addresses by trying several predefined passwords which includes a combination of numbers 1 to 9 and Admin, Pass, Password, Passwd, Root, Home or Database. Afterwards, this security threat will copy its code as an exe file to systems that have weak admin passwords and then schedule a Network task to execute its code. This malware will likewise try connecting to a predetermined IRC or Internet Relay Chat server so that it can receive commands from its remote author.

The commands that will be carried out by the worm include performing a syn flood attack and delivering computer system details to the author. Other commands also include controlling the IRC client installed in the affected system and thoroughly scanning for systems with poor admin passwords and then copying the worm’s code onto them. The W32.Moubot application can open, download and launch files in the system. The user can also be logged in or out of the user profile. The worm software can scan the system for the registry keys of retail games. The computer resources can also be used to participate in attacks against other computers. The application can run on the operating systems Windows XP, Windows NT, Windows ME, Windows 2000 and Windows 98. It commonly enters the system via network shares. It checks for resources that are weakly protected.