W32.HLLW.Acebo


Aliases: Backdoor.IRC.Acebo, BKDR_NEWBIERO.A, Win32.Acebot, Worm.Newbiero, Trojan.Acebot-1
Variants: Worm.Win32.Newbiero.01, W32/AceBot.worm, BackDoor.Acebot.10, Troj/Bdoor-ABN, Worm/Newbiero

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Moderate
Geographical info: North America, Europe, Australia, Asia
Removal: Easy
Platform: W32
Discovered: 24 Apr 2002
Damage: Low

Characteristics: This malware exhibits the general characteristic of a Trojan Horse which makes use of deceitful techniques to deliver its payload. The W32.HLLW.Acebo is capable of opening an unsecured backdoor on the infected computer system to provide a remote attacker with a total access to the machine and its resources. This malware has the ability to penetrate network environments by taking advantage of vulnerabilities of shared drives.

More details about W32.HLLW.Acebo

This malware belongs to a class of Trojan Horses which has multiple variants. When executed in the infected computer system the W32.HLLW.Acebo will drop an executable file into the directory folder of the operating system. The filename is randomly generated by the malware with an accompanying key value entry in the Windows Registry. The original file will be deleted from the system by the W32.HLLW.Acebo once the new executable file has been installed. Upon execution it will attempt to connect to an Internet Relay Chat server where it will wait for additional instructions from the attacker. The W32.HLLW.Acebo can be used by the malicious author to hijack the infected computer system and generate ICMP/IGMP attacks. This malware gives the attacker complete control over the machine.

The W32.HLLW.Acebo has the functionality of terminating specific firewall applications that may be present in the infected computer system. By turning off the firewall protection the remote attacker has more unobstructed control over the features of the compromised machine. The W32.HLLW.Acebo allows the logging off or shutting down of the computer system from a remote location. There is a possibility that the W32.HLLW.Acebo may copy an instance of itself to the startup programs of network clients by using shared drives as transport mechanisms. The malware's process can be terminated remotely by the attacker to prevent detection.