Aliases: W32/Fanbot-H, WORM_FANBOT.A
Variants: N/A
Classification: Malware
Category: Computer Worm
Status: Dormant
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Oct 2005
Damage: Medium
Characteristics: This is another mass mailing worm that is packed with NsPack and affects all Windows Operating Systems platforms. It installs itself as a service. It also decreases security settings on the compromised computer. It also propagates by exploiting the Microsoft Windows Plug and Play Buffer Overflow vulnerability and through peer-to-peer networks. It has backdoor capabilities of copying itself into P2P folders and spread itself without executing. Tell-tale signs that this virus is present are the following, there is an increase on hard disk activity and there will be tons of unrecoverable loss of data.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
This virus also displays a fake error message in a blue screen window box, having in the title, “Error.” While on the body, “The file could not be opened!” This file commands a service every time Windows starts. It also commands in connecting TCP port 5262 and or IRC servers, namely, jojogirl.3322.org domain and SmallPhantom.meibu.com domain. Once it’s connected, it will execute files, download files, retrieve system information, remove or update the worm, start or stop the mass-mailing routine. list threads, send a log file of the worm, restart or shut down the computer, replace Default.htm file in the document root folder of Microsoft IIS, clear the event log, end threads, read files, access URLs, open and close the CD-ROM tray, create a remote shell to allow the attacker to execute any command, perform DNS attacks, upload files by ftp.exe and redirect UDP packets.
Security experts allege that this worm is malware because of the malicious payload it carries with it. It has been responsible for several unwanted changes in the user’s system such changes in the Internet and browser configurations. It also generates more than normal amount of popups even when the user is offline. Reports claim that this worm makes the transmission of personally identifiable information (PII) to undisclosed parties without the user even knowing or authorizing such transmission possible. A marked slowing down in computer is likewise observed since this worm diverts the computer’s resources in favor of the worm to allow the execution of its actions.