Aliases: Backdoor.Win32.IRCBot.awk, Backdoor:Win32/Mocbot.gen, Exp/MS06040-A
Variants: Generic.Sdbot.B2CA6D52, IRC-MocBot, Win32/Cuebot!generic

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 12 Aug 2006
Damage: Medium

Characteristics: The W32.Wargbot application a worm that opens an IRC back-door on the compromised system. It spreads via exploiting the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability that is described in Microsoft Security Bulletin MS06-040. The Trojan can download a copy of the Backdoor.Ranky.X. This network-aware worm affects windows platform such as Windows 95, Windows 2000, Windows 98, Windows NT, Windows Me, Windows XP, and Windows Server 2003.

More details about W32.Wargbot

Once W32.Wargbot is executed, the worm duplicates itself as wgareg.exe in the system folder and creates a service named Windows Genuine Advantage Registration Service on the same folder. It also makes registry sub key to create the said service and adds value to the registry sub key in order to modify access to network shares, disables DCOM, reduces security system, and change Windows Firewall. When the worm injects a program to explorer.exe, it removes the original worm file and opens up a back-door on your system by connecting to IRC domains at TCP port 18067. This will now listen to commands that could permit a remote attacker to initiate denial of service attacks, execute and download remote files, scan Internet Protocol addresses to find for PCs to be attacked, send a message utilizing AOL Messenger (if it is running), and remotely run your command prompt shell (this allows the attacker to run any command on your PC).

Once successfully installed, the W32.Wargbotprogram creates a backdoor on the affected computer. This backdoor serves as a means for the remote intruder to communicate with the Trojan application on the affected computer. The W32.Wargbot program waits for some commands from the remote user. These commands may consist of deleting files from the computer, uploading and downloading unwanted data and starting or participating in web attacks. Additional programs may be installed on the affected computer. These programs are downloaded by the W32.Wargbot application from a remote server. They are installed on the affected machine stealthily. These additional components may take up most of the computer’s local disk space. This results in a slower computer performance.