W32.Solame.A


Aliases: Backdoor.Agent.n, Exploit-Mydoom, BackDoor.IRC.Sdbot.248, Backdoor:Win32/Agent.N, TROJ_AGENT.N,
Variants: Win32:Trojan-gen., Backdoor Program, Win32/Agent.N,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 05 Apr 2004
Damage: Low

Characteristics: The W32.Solame.A program is a worm that multiplies through the use of the backdoor the variants of W32.Mydoom@mm create.

More details about W32.Solame.A

The W32.Solame.A program is a worm that multiplies through the use of the backdoor that the W32.Mydoom@mm variants create. When the worm is opened, it moves itself to “%System%Msdspr.exe”. The W32.Solame.A adds the value "Windows Automation"="msdspr.exe" to the registry key, so that the W32.Solame program opens when you open the Windows. The worm also ads the value "Windows Automation"="msdspr.exe" to the registry key, so that the worm opens when you open Windows 95, 98, and Me. The W32.Solame program connects to an IRC server and spreads out abusive messages to consumers.

The W32.Solame generates a random Internet Protocol address and performs a DNS lookup on this address. The worm tries to connect to the Internet Protocol address on port 3127/tcp, which is connected w/ the W32.Mydoom@mm variants. If the connection was successful, the worm will utilize a malware command to spread and execute the worm. This is possible to cause a clear slowdown on a contaminated system. A contaminated system is also possible to make a lot of DNS queries every second for Internet Protocol addresses.