Aliases: WORM_KERBOT.A, Win32/Kerbot.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 03 Nov 2008
Damage: Medium

Characteristics: The worm W32.Kernelbot.A spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874) and through file sharing or peer to peer networks. It may also download files on to the target computer. The worm infects all Windows versions and does moderate damage to the computer.

More details about W32.Kernelbot.A

The worm W32.Kernelbot.A propagates by exploiting the the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which was described in the IntelliShield Alert 16941, and other vulnerabilities. It also propagates through P2P file-sharing networks. The worm arrives on the system as the files “6767.exe” or “kernekdbg.exe” if network vulnerabilities were exploited. Through P2P file-sharing networks, it arrives using filenames such as [Asian Characters].exe, keygens.exe, iedvv.exe, or MOV_[HEXADECIMAL STRING]_[WEB SITE]_[ASIAN CHARACTERS].exe. The worm may attempt to disable 360Safe security software by modifying certain registry keys that are associated with this program. It creates registry keys that may terminate security-related processes like 360tray.exe, rstray.exe, etc. It may also attempt to remove security-related registry keys to prevent the system from running in Safe Mode. It also prevents access to antivirus and other security-related websites.

The W32.Kernelbot.A application has a backdoor functionality that may allow access to remote users. The remote user may add or remove files from the computer through the connection made by the backdoor worm. The remote user may also collect information stored in the computer. The application may have several mode of installation. It usually spreads through Internet Relay Chat (IRC) channels and peer-to-peer (p2p) file sharing networks. The W32.Kernelbot.A program encrypts itself in the files found in file the p2p folder. The program usually renames its copy in order not arouse any suspicions to p2p users. The computer worm may also spread via network shares and spam e-mails.