Aliases: Worm.Win32.Kibuv.b, W32/Stdbot.worm.b, Win32.HLLW.LoveSan.based, W32/StdBot-B
Variants: W32.Kibuv.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 14 May 2004
Damage: Low

Characteristics: The memory-resident worm W32.Kibuv.B spreads through the Internet. It starts at an FTP server on port 7955 then downloads itself using different file names. It takes advantage of certain vulnerabilities in Windows.

More details about W32.Kibuv.B

The worm W32.Kibuv.B spreads using the Internet and exploits a vulnerability in Windows. These vulnerabilities include: Buffer Overrun in Messenger Service Vulnerability, IIS 5.0 WebDAV3 Vulnerability, the UPnP NOTIFY Buffer Overflow Vulnerability, Buffer Overrun In RPC Interface Vulnerability, and LSASS Vulnerability. This memory-resident worm starts an FTP server on port 7955. It downloads a copy of itself using several filenames. It also uses FTP and IRC channels to propagate. The worm is a Windows PE EXE file with a size of approximately 28Kb, packed using UPX. The worm is based on the source code of Backdoor.SdBot. To spread, the worm scans networks and chooses IP addresses randomly. It checks these addresses for LSASS, RPC, and IIS 5.0 vulnerabilities. It also checks port 5554 for FTP components of Worm.Win32.Sasser. It also checks for backdoor components left by I-Worm.Bagle.

When the system is infected, it launches an FTP server on port 7955 and installs a backdoor on port 420 ready to receive remote commands. The worm enters the IRC server and waits for a command to attack. The W32.Kibuv.B application is a computer worm that creates copies itself in the user’s computer. It may also spread to other computers in the network without the influence of the author or remote user. It can replace the entire files in the computer. The computer worm is also a memory resident Trojan program that propagates through network shares. This application functions primarily as a backdoor Trojan program. The W32.Kibuv.B program opens a random port that allows access to a remote user. It allows access to the computer through Internet Relay Chat (IRC). It will then join an IRC channel where it will listen for command from the remote user.