Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 02 Jun 2004
Damage: Medium

Characteristics: W32.Kobot.A is a worm that spreads through open network shares, telnet, dameware, realserv, VNC, and niprint. This particular worm uses three remotely exploitable Windows vulnerabilities to spread itself. The worm can also function as an email relay. It can also serve as a proxy for HTTP and SOCKS.

More details about W32.Kobot.A

The worm W32.Kobot.A uses the following vulnerabilities to propagate: The Microsoft Windows LSASS Buffer Overrun Vulnerability, The DCOM RPC vulnerability, and The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability. When the worm is executed, it attempts to create a mutex called MSalltheway. It exits if it fails. It does this to make sure that only one instance of the worm runs on a computer at any time. It also attempts to connect to IRC servers using TCP port 4467. It waits for a command from the author through the IRC channel. The worm downloads and executes the patch for the Microsoft Windows LSASS Buffer Overrun vulnerability. The worm can also function as an email relay. It can also serve as a proxy for HTTP and SOCKS.

The W32.Kobot.A software is said to be bundled with other files. Users are often not aware that there are installers hidden in the free applications they download. The End User License Agreement (EULA) may inform the user that they will receive advertisements in exchange for using a free program. This may not inform them that advertising components will be installed in the system. This program can infect the Windows XP, Windows NT, Windows ME, Windows Server 2003, Windows 2000, Windows 95 and Windows 98.