Aliases: WORM_ZOTOB.O, W32/Hiberium.gen, Worm/Hiberium.B, W32/Hiberi-B, Worm:Win32/Hiberium.A
Variants: Net-Worm.Win32.Hiberium.b, Win32.Worm.Hiberium.B, Suspect File, Win32/Hiberium.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, South America, Europe
Removal: Easy
Platform: W32
Discovered: 16 Sep 2005
Damage: Low

Characteristics: The Plug and Play functionality of the operating system is one of the useful tools for a computer user. This feature allows the attachment of a device without requiring the installation of its associated driver. This functionality however is the same one exploited by the W32.Iberio malware which creates a buffer overflow in the compromised computer system. This Worm is capable of creating an unsecured backdoor on the machine.

More details about W32.Iberio

Execution of this Worm into a vulnerable computer system will initially create a mutex to mark the infected machine. This routine is normally done by the W32.Iberio to make sure that only one instance of its code is active during runtime. It will proceed to modify the Windows Registry with the creation of a new key value that will include it in the startup items of the host machine. Once the W32.Iberio has completed its installation it will resume to download a number of RAR and EXE format files from predetermined websites that are possibly under the control of its malicious author. The RAR files contains the unpacked version of the W32.Iberio malware's code and executable.

The executable file downloaded by the W32.Iberio will be launched in the host computer system. This routine will initiate a keystroke logger application in the compromised machine. The Plug and Play vulnerability of the operating system will be exploited by this Worm in order to initiate its propagation routine. The W32.Iberio will begin to target remote computer systems through randomly generated Internet Protocol addresses. It however ignores Internet Protocol addresses which have been hard coded by the malicious author. The W32.Iberio will connect to a predetermined domain to take control of remote machines via the CMD process.