[email protected]

Aliases: W32/Fanbot-H, WORM_FANBOT.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Oct 2005
Damage: Medium

Characteristics: This is another mass mailing worm that is packed with NsPack and affects all Windows Operating Systems platforms. It installs itself as a service. It also decreases security settings on the compromised computer. It also propagates by exploiting the Microsoft Windows Plug and Play Buffer Overflow vulnerability and through peer-to-peer networks. It has backdoor capabilities of copying itself into P2P folders and spread itself without executing. Tell-tale signs that this virus is present are the following, there is an increase on hard disk activity and there will be tons of unrecoverable loss of data.

More details about [email protected]

This virus also displays a fake error message in a blue screen window box, having in the title, “Error.” While on the body, “The file could not be opened!” This file commands a service every time Windows starts. It also commands in connecting TCP port 5262 and or IRC servers, namely, jojogirl.3322.org domain and SmallPhantom.meibu.com domain. Once it’s connected, it will execute files, download files, retrieve system information, remove or update the worm, start or stop the mass-mailing routine. list threads, send a log file of the worm, restart or shut down the computer, replace Default.htm file in the document root folder of Microsoft IIS, clear the event log, end threads, read files, access URLs, open and close the CD-ROM tray, create a remote shell to allow the attacker to execute any command, perform DNS attacks, upload files by ftp.exe and redirect UDP packets.

Security experts allege that this worm is malware because of the malicious payload it carries with it. It has been responsible for several unwanted changes in the user’s system such changes in the Internet and browser configurations. It also generates more than normal amount of popups even when the user is offline. Reports claim that this worm makes the transmission of personally identifiable information (PII) to undisclosed parties without the user even knowing or authorizing such transmission possible. A marked slowing down in computer is likewise observed since this worm diverts the computer’s resources in favor of the worm to allow the execution of its actions.