Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 27 Feb 2007
Damage: Medium

Characteristics: The W32.Rokid is type of worm that shows an MS Word document encoded in Indonesian language and then shuts down the infected computer.

More details about W32.Rokid

The W32.Rokid worm replicates itself on different locations on the user’s computer. The program is identified by anti-malware application as a network worm. The W32.Rokid worm uses the Internet Relay Chat (IRC) as its main distribution medium. This application utilizes a backdoor program to compromise users on the IRC network. The backdoor program can either be bundled on the source application of the W32.Rokid worm or dropped by other Trojan applications or worms. The gap created by the backdoor application allows the W32.Rokid worm to function on the user’s computer. The opening is also used by the application to communicate with remote servers to gather the recent updates of the W32.Rokid worm application.

The program uses the exploits found on installed programs and within the Operating System to facilitate its arrival on the user’s computer. The W32.Rokid worm also has the ability to spread to other computers. It propagates into remote computers by overriding weak system passwords used on computers. The W32.Rokid worm is remotely controlled by an authorized user via IRC channels. The remote user sends commands to instruct this worm to perform several functions on the computer. The application can be used by the remote user to start servers such as File Transfer Protocol server, proxy server or Web server. The program may also facilitate the computer’s participation to Distributed Denial of Service (DDoS) attacks.