W32.Scane


Aliases: Exploit-MS04-011.gen, W32/Wort-D, BKDR_WORTBOT.A, TR/Expl.DcomRpc
Variants: Exploit.MS04-011, Win32.Wort.D, Bck/WortBot.E, Win32/Wortbot.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 26 Aug 2004
Damage: Low

Characteristics: The W32.Scane program is a worm that tries to propagate by exploiting the MS Windows LSASS Buffer Overrun Vulnerability.

More details about W32.Scane

When the W32.Scane worm opens, it may duplicate itself as “%System%\servicec.exe”. Take note that %System% is a variable that submits to the folder of your system. By default, it is “C:\Windows\System32 (Windows XP)” or “C:\Winnt\System32 (Windows NT/2000)”. Then, the worm adds some values to the registry key, so that the worm opens whenever you launch windows. The W32.Scane makes a lot of threads that try to link to a block of Internet Protocol addresses by using the MS Windows Buffer Overrun Vulnerability on the TCP port 445. When finished, the remote system tries to get a duplicate of the W32.Scane from the host.

Reports claim that the W32.Scane program enables a hacker to influence a computer from a remote location and perform various actions on the said computer. With the program, the hacker can change the system registry, modify files, log keystrokes, download and execute codes and perform Denial of Service (DoS) attacks. Just like any other malware application, the W32.Scane is installed by taking advantage of gaps in the security settings of the computer. It is typically installed without user interaction and consent. It is usually contracted by the computer as an email attachment especially when it came from unknown senders.