Aliases: Backdoor.Win32.Rbot.dc, W32/Linkbot-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 05 Nov 2004
Damage: Medium

Characteristics: W32.Linkbot.A is a worm. It exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability to propagate. This vulnerability is described in Microsoft Security Bulletin MS04-11. It also creates an IRC backdoor. In addition, it attempts to install an adware on the infected computer.

More details about W32.Linkbot.A

When W32.Linkbot.A is executed, it copies itself as the file defragfat32z.exe. Variants of the file include defragfat32.exe and defragfat32x.exe. It also creates the file abcdabcd.bat. When the batch file is executed, it deletes the original file and itself. The worm also adds a value to the registry to make it run every time Windows starts. It also attempts to connect to the site anna.homeftp.net:43210 using a random port numbered 1040 or higher. It listens to TCP port 113. It awaits commands from a remote attacker to perform certain actions. A remote attacker can upload, download, execute, and modify files in the infected computer. He can also acquire system information, update or uninstall the worm, and terminate running processes. The worm exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability to propagate.

The program may be instructed to execute certain actions in the infected computer. It can monitor the user’s actions and send them via e-mail or FTP (File Transfer Protocol) transfer. Keystrokes and screenshots can be captured. Programs may be opened and minimized unexpectedly. Additional malicious software may be installed and executed in the infected system. The W32.Linkbot.A program can also send messages to specific IRC channels and users. It may also start or close threads. It may be used to spread malware programs to other IRC channels.