W32.Beavuh


Aliases: DoS.GhostDog(AVP), W32/Beavuh.worm
Variants: IIS.Beavuh-Exploit, Exploit.IIS.PrinterOverflow.i, Exploit-IIS.Print, W32.IIS.PrinterOverflow.G 

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 13 Sep 2001
Damage: Medium

Characteristics: The Trojan horse W32.Beavuh is used by remote hackers for gaining control over IIS servers that are unpatched. This malware takes advantage of the Internet Printing Protocol vulnerability which is also called the Beavuh Exploit. This vulnerability can allow the hackers to control the server.

More details about W32.Beavuh

The W32.Beavuh program is used by remote hackers as a backdoor utility for entering target computer systems. This Trojan will require some information to gain access to a system. This information includes the destination of the port number and IP address and the port number that will be used by the exploiting code for connecting again to the command shell. Once the W32.Beavuh Trojan program has gathered the required information, it will use the IIS.Beavuh Exploit code for attacking the target host server. In the event that the target host server is susceptible, the remote hacker can then gain access to the server and run arbitrary codes on it. The IPP or Internet Printing Protocol function exploited by the W32.Beavuh Trojan program is employed for IIS or Internet Information Server as an ISAPI extension.

According to some research, there is an authenticated, remote vulnerability in Microsoft’s implementation of the IPP on Windows Operating Systems running IIS. There exists an integer overflow in the IPP implementation which can permit an authenticated remote hacker to carry out random code execution on compromised IIS servers. Consequently, a remote attacker who can successfully exploit the IPP vulnerability with the use of the W32.Beavuh Trojan can take full control of the compromised machine and install more security threats, setup new accounts, and delete, view or alter important data.