Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Feb 2003
Damage: Medium

Characteristics: The W32.Tkbot.Worm application installs a backdoor on compromised systems and permits a hacker to have access to the computer without the knowledge of the owner, controlling it through IRC. This worm consists of some parts, including an IRC client and a FTP server.

More details about W32.Tkbot.Worm

The W32.Tkbot.Worm scans and then attacks website at random by using Unicode directory traversal weakness in the Microsoft IIS in order to add access to weak computers. Once the worm adds access to the weak computers the IRC user that is a W32.Tkbot.Worm part directs to the computer so it can open a connection of the FTP to a particular host remote on the Web. Files that are Tk1.exe and Httpodbc.dll can be downloaded from the remote host to weak computers and then performed. It infects the weak computers with W32.Tkbot.Worm. When the weak computers were already infected, the part of the W32.Tkbot.Worm, the IRC client, is run. The IRC users the port 1297 in order to connect to IRC server and joins a particular channel and then the process will be repeated.

All of the weak computers that are infected are connected to the channel of the IRC on the server of it that was defined as one of the configuration file of the worm. Each of these was given a name that is unique once it joins the channel. And then the attacker can sign in the IRC server, join a particular channel, and then spot all the computers that are compromised. The attacker allows full access to the administrator into the computer that is infected.The worm loads a value containing the scripting commands. The attacker can already perform the script.