Aliases: W32/Celebit.worm [McAfee], I-Worm.Celebit [KAV], W32/Celebit-A [Sophos]

Classification: Malware
Category: Computer Worm

Status: active & spreading
Spreading: slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: easy
Platform: W32
Discovered: 03 Jun 2003
Damage: Low

Characteristics: This threat is classified as a Worm - Mass Mailer. A mass mailing e-mail worm is self-contained malicious code that propagates by sending itself via e-mail.

More details about W32.Celebite.Worm

The program is identified as a network worm. The W32.Celebite.Worm application propagates itself through Internet Relay Chat (IRC) channels. The program exploits the vulnerabilities of the Windows operating system. The security gaps allow the application to execute on the connected computers with administrator privileges. The program utilizes network shares protected with weak passwords and unsecured folders to distribute threats to the computers within the network. The application is encrypted with a predefined list of user names and passwords to be used on secured network shares.The W32.Celebite.Worm program has backdoor functions. The application opens the Transmission Control Protocol (TCP) port to establish connection with an IRC server.

A remote user may send commands to the computer by joining an IRC channel. The remote commands are sent via IRC channels. These remote instructions may include termination of running processes, modification of system configuration and download of additional files from the Internet. The W32.Celebite.Worm application uses rootkit functions to hide its operation on the computer. The program utilizes a rootkit tool to rename its core components to appear as legitimate Windows processes. The rootkit technology used by the application disables security utilities on the computer such as personal firewalls and anti-virus programs. The application may terminate processes related to the W32.Celebite.Worm program.