W32.Woredbot


Aliases: BackDoor.Generic3.MCR, Backdoor.VanBot.i, Backdoor.Win32.VanBot.e, BDS/VanBot.E, Generic.Sdbot.71C86B81
Variants: W32/Sdbot-COV, W32/SdbotX.KON, W32/VanBot.A, Win32/Duiskbot.A, Win32:IRCBot-ABW

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Aug 2006
Damage: Low

Characteristics: The W32.Woredbot program is a network aware worm that has back door abilities. This worm spread via exploiting the MS Windows Server Service Remote Buffer Overflow Vulnerability that is described in Microsoft Security Bulletin MS06-040.

More details about W32.Woredbot

The W32.Woredbot.C worm enables unauthorized access on contaminated computer making use of backdoor. The worm uses the MS Windows Server Service Remote Buffer Overflow Vulnerability. When W32.Woredbot is accessed, it duplicates itself as “%System%\dllcache\mscom.exe”. It makes a service w/ these properties: Display Name: "MSCom" and Image Path: %System%\dllcache\mscom.exe. The makes a registry subkey to make the service stated above. W32.Worebot.C changes the value in the registry key to disable the Shared access in Windows XP/2000. It also changes the value in the registry key to prevent avoid NULL session identification of the host. Then the worm changes the value once again in the registry key to disable DCOM. The W32.Woredbot.C tries to stop the processes that have strings such as “anti”, “viru”, “troja”, “avp”, “nav”, “rav”, “reged”, “nod32”, “spybot”, “zonea”, “vsmon”, “avg”, “blackice”, “firewall”, “lockdown”, “f-pro”, “mcafee”, “Norton”, “sniff”, “kill”, “proc”, “kav”, “hijack” and etc.

The worm has the capability to open a back door via IRC server on TCP port 4915. This will allow commands that a remote attacker could execute on your compromised computer. The remote attacker could steal personal information entered into your system and spreads the information to other PCs via sending URL links through MSN, AOL Instant Messenger, Yahoo Messenger, and ICQ.