Aliases: Net-Worm.Win32.Padobot.x [Kasp], W32/Poxdar.worm [McAfee], W32/Doxpar-A [Sophos], WORM_POXDAR.A [Trend Micro]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 16 Feb 2005
Damage: Medium

Characteristics: W32.Poxdar was discovered on February 16, 2005. This is a network-aware worm that distributes a denial of service and back door capabilities. This worm exploits vulnerabilities. Also known as Net-Worm.Win32.Padobot.x, W32/Poxdar.worm, W32/Doxpar-A and WORM_POXDAR.A, this worm affects Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about W32.Poxdar

Once W32.Poxdar is executed, the worm has the ability to perform several actions. The worm creates a copy of itself using [random characters]32.dll as the file under the %System% folder. Then, the worm deletes all .dll files and causes a 100% load on the CPU enabling the system to run very slow or unresponsive. Next, the worm creates LSD0 as the mutex. Afterwards, it adds two values in the system registry subkeys. The worm injects itself in the explorer.exe process and checks wins, Isass, svchost and inetinfo. Again, the worm creates system registry entries if those processes are present. After checking the internet connection through some domains, the worm spreads by exploiting the following vulnerabilities: Microsoft Windows WINS Association Context Data Remote Memory Corruption Vulnerability, Microsoft Windows DCOM RPC vulnerability, Microsoft Windows LSASS vulnerability, Microsoft Windows WebDav vulnerability and Microsoft FrontPage Server Extensions Remote Debug Buffer Overrun Vulnerability. The worm continues to spread by opening a proxy server on a random TCP port to download and execute .tmp then connects to other domains to perform a denial of service attack.

The W32.Poxdar application downloads files into the infected computer. These files can be commands to execute in the system. They may also be installers for unwanted programs. The software is installed in the system and executed. They may also be added to the system registry so that they can run at system startup. Downloaded software may also be spread to other computers. Some programs spread in this way are spyware and adware applications. Adware programs display ads in the form of pop-ups, pop-unders, links, banners and desktop shortcuts. Spyware applications monitor the user’s browsing activities. This can include visited web pages, clicked links, and search queries.