W32.Multex.B


Aliases: W32.Sykel, Worm.P2P.Multex.b, Win32/HLLW.Secef.A
Variants: BackDoor.Surila.K, Backdoor.Mydoom.W, Trojan.Surila.J, W32/Fome.A.worm, Win32/Surila.J

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 10 Sep 2004
Damage: Low

Characteristics: This malware is a peer to peer or P2P worm that can spread by using the KaZaa file sharing network. It also attempts to exploit the LSASS Buffer Overrun Vulnerability of Microsoft Windows. This vulnerability pertains to a buffer overrun vulnerability in LSASS or Local Security Authority Subsystem Service. When this vulnerability is successfully exploited, remote users are allowed to execute codes on affected machines and take full control of the system.

More details about W32.Multex.B

This security risk will copy an executable file in the system believed to be its copy once it is run. It will also add a value to a certain registry key so that it can run with Windows during startup. The W32.Multex.B will likewise create copies of its code with the file extensions .pif, .scr and .exe and then place them in the shared folders of KaZaa. The worm then begins an FTP (file transfer protocol) server on a port that is randomly chosen. It then proceeds to randomly generate IP addressed on the 445 TCP port and will attempt to establish a connection to the generated address. If a connection is successfully made, the malware will send a shell code to remote machine that will allow the worm to launch a remote shell on a TCP port that is randomly chosen.

The W32.Multex.B then attempts to establish a connection back to the FTP server it started on the port by utilizing a shell and then retrieves a copy of itself. This security threat will also send predefined messages to all contacts in the ICQ contact list. The sent messages will show infected links that can retrieve a copy of other malware such as the Backdoor.Nemog.C and the W32.Mydoom.V@mm. The W32.Multex.B program creates copies of itself over the computer network and spreads over the network of computers. The computer worm collects e-mail addresses that are stored in the user’s computer and sends itself to those addresses. It may also create copies of itself in the shared folders of the computer. The computer worm may also spread via removable media.