Aliases: Net-Worm.Win32.AllocUp.a, W32/Allocu-A, BKDR_ROBOBOT.AD, Flooder.Boxed, Worm/Robobot
Variants: DDoS-Boxed, Net-Worm.Win32.AllocUp.c, Win32.Worm.Dedler.AM, W32/Dedler.AM.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America
Removal: Hard
Platform: W32
Discovered: 04 Apr 2005
Damage: Medium

Characteristics: Considered as a type of network aware malware, the W32.AllocUp.A is capable of opening an unsecured backdoor using random TCP ports of the compromised computer system. It also exploits certain vulnerabilities of the Local Security Authority Service of the operating system causing buffer overflow.

More details about W32.AllocUp.A

The W32.AllocUp.A program allegedly exploits certain vulnerabilities of the Local Security Authority Service of the Operating System causing buffer overflow. The file msveup.exe is extracted into the System folder of the Windows directory. This file serves as the main executable file of the W32.AllocUp.A malware. A corresponding Windows Registry key is created for this executable file. This allows the malware to load automatically on system startup. The W32.AllocUp.A program also disables various services and processes that are associated to security programs and protocols. This allows the malware to illegally terminate protection mechanisms without the user's knowledge creating a false sense of security. When the backdoor is opened by the W32.AllocUp.A program, it automatically sends out a notification to the attacker. This alert is a signal to the malicious author that the compromised computer system is now ready to receive remote commands.

Once the alert has been received, the Web browser is automatically launched to connect to the doalloc.com, rpcset.com, upalloc.com, and nevertest.com domains where multiple copies of the readme001.txt are downloaded into the machine. The text file actually contains a listing of more websites where the W32.AllocUp.A malware can download and execute additional dangerous codes. In this context, the infected machine becomes storage of more malicious and dangerous routines. Once the downloading routine is initiated by the W32.AllocUp.A malware, it simultaneously scans for available unprotected network shares by exploiting the LSAS service of the Operating System.