Aliases: Hacktool.DCOMScan, Win32.Berkor.A, Net-Worm.Win32.Padobot.z, Exploit-DcomRpc.gen, W32/Doxpar-C
Variants: WORM_KORGO.AG, Net-Worm.Win32.Padobot.z, Win32/Padodor.NAU, W32/Korgo.gen.worm, Win32.Worm.Padobot.Z

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 10 May 2005
Damage: Medium

Characteristics: One of the most common properties identified by most computer experts with an infection of this malware is the illegal termination of security services and processes on the compromised computer system. The W32.Ifbo.A has also been observed to take advantage of the remote buffer overflow vulnerability that is found in the unpatched version of the Local Security Authority Service of the operating system.

More details about W32.Ifbo.A

When first executed in an infected computer system, the W32.Ifbo.A will create a new key value in the Windows Registry service of the operating system in order to serve as a marker for an infected machine. The malware will proceed to scan the compromised computer system for the presence of security applications and services. The W32.Ifbo.A will disable and eventually completely remove all security processes and monitoring tools from the infected machine. This routine is an attempt to complicate its detection and removal from the machine. The running services of the files to be deleted will initially be stopped by the W32.Ifbo.A without the user's knowledge giving a false sense of security because no indication will be made of their termination.

Once the W32.Ifbo.A has successfully lowered the security settings of the infected computer system it will proceed by creating an HTTP server in the machine. This server will normally make use of the TCP port 80 which is also the same communication port associated with accessing the Internet. When the strings xxx and GET are contained in server requests, the W32.Ifbo.A will respond by sending a copy of itself to the requesting party. The remote buffer overflow vulnerability of the Local Security Authority Service will be exploited by the W32.Ifbo.A using the TCP port 445 of the infected computer system.