W32.Reidana.A


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 24 Mar 2005
Damage: Low

Characteristics: W32.Reidana.A is a worm. It infects all Windows systems. It spreads by using the Microsoft Windows DCOM RPC vulnerability. The worm also attempts to download and execute a remote file. This worm is a slow infector. It causes low damage to an infected computer. It is also easy to remove.

More details about W32.Reidana.A

The worm W32.Reidana.A infects Windows systems. To propagate itself, it exploits a vulnerability and attempts to download and execute a remote file. When the worm is executed, it accesses the IP address 195.82.18.1. It also attempts to connect to randomly generated IP addresses using the Microsoft Windows DCOM RPC vulnerability on TCP port 139. This vulnerability is described in Microsoft Security Bulletin MS03-026. If the worm is successful, the worm sends shell code to the infected computer that opens TCP port 4444. It then attempts to download and executes a file named syzhost.exe. This file is downloaded from an FTP server on the nukestyles.com domain. The worm is classified under low risk. It does not do much damage on an infected computer. It can be easily removed from an infected system.

The W32.Reidana.A program can manipulate the files in the system. This includes both data and system files. They can be edited, moved, or deleted. Installed programs can be launched or closed without the user’s consent. The CD drives may open and close unexpectedly. Other malware applications can be added to the system. This includes adware, spyware, and Trojan software. Pop-up advertisements can be displayed in the infected system whenever it is connected to the Internet. A keylogger function may be used to capture the data as it is being typed. The browsing habits may also be recorded and sent to a remote server as market research.