Aliases: W32/rbit.worm, backdoor.tankedoor.02, W32.kwbot.b.worm, W32/etern.worm
Variants: W32.Kwbot.Worm, W32.Kwbot.C.Worm, W32.Kwbot.Y.Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W33
Discovered: 02 Jan 2003
Damage: Medium

Characteristics: The W32.Kwbot.B.Worm attempts to propagate itself using the Kazaa file-sharing network. The worm also has the capabilities of a Backdoor Trojan. It allows a hacker to gain control of the infected computer and steal sensitive information. The worm is written in Microsoft Visual C++ packed with UPX.

More details about W32.Kwbot.B.Worm

W32.Kwbot.B.Worm spreads using the Kazaa file-sharing network. When the worm is executed, it copies itself as MSIstall61.exe. To make sure it runs every time Windows starts, it adds values to the registry. It then opens a randomly chosen TCP/UDP port to connect to the hacker. The worm spreads to other computers using the default Kazaa shared folder. It uses a list of random names to attract victims. Examples of the filenames it uses include HortGirls.exe, Pamela_anderson.scr, etc. The worm contains its own IRC client coded into the Trojan. The Trojan listens for commands from the hacker from the IRC channel. The commands allow the hacker to manage the installation of the backdoor, control the IRC client on the infected computer, update the installed Trojan, and send the Trojan to other IRC channels in order to spread.

The hacker can also download and execute files, deliver system and network information, perform Denial of Service attacks against a target, and completely uninstall the Trojan by removing relevant registry entries in the infected computer. Reports from the field claim that this program consists of software programmed for some hostile, malicious, or harmful purposes. The program can be used by a hacker to compromise and put at risk the user’s computer as well as entire network. Allegedly, the W32.Kwbot.B.Worm program can be utilized as a tool to monitor the Internet activities of the user. It is also reported that it can allow the intruder to capture sensitive and confidential information.