W32.Toxbot


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Mar 2005
Damage: Low

Characteristics: The W32.Toxbot application is a worm that can open a back door of an IRC on the computer that is comprimised and propagates by utilizing vulnerabilities.

More details about W32.Toxbot

Back door permits remote attacker to execute downloading remote files, logging keystrokes, Steal the System Information, End the processes, and also steal the cached passwords. It also propagates by the use of the Microsoft Windows DCOM RPC Buffer Interface Overrun, Microsoft SQL Web Server Task Stored Privilege Procedure Escalation, and the Microsoft Windows Buffer Overflow ntdll.dll vulnerabilities. The worm tries to propagate to the computers that are running MS SQL Server having passwords that are weak by accessing a connection by the use of the “sa” as the default name having passwords such as admin, root, or sa. It also checks the existence of the VMware Virtual infrastructure software by looking for the subkey of the registry. The W32.toxbot will not going to run on the computers that are running this type of software.

Once the W32.Toxbot was executed, it creates a replicate of itself as %System%\ [RANDOM FILE NAME] having .exe extension. Generally, the [RANDOM FILE NAME] will has characters of 8 long. Possible examples are the variables dhcpclient, ciclient, dxdllsvc, TrkWksrv having .exe extension. The worm may generate a service having a Service Name of ‘DHCP Client’ and Display Name of ‘Handling the DHCP requests’. In generating the service several entries of the registry are created. The W32.Toxbot adds the "[DEFAULT]" = "Service" to the subkeys of the registry so once the windows starts the worm runs at the same time. The worm also contacts server of the IRC on the DEADBEEF.my-secure.name, 99DEADBEEF.martiansong.com, 5555.devtech.us, 99DEADBEEF.my1x1.com, 99DEADBEEF.goingformars.com, or 5555.memzero.info domains