The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. This server is used to spread the worm to other hosts.Īttempts to connect to randomly-generated IP addresses on TCP port 445. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer. So that the worm runs when you start Windows. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. This ensures that no more than one instance of the worm can run on the computer at any time. When .Worm runs, it does the following:Īttempts to create a mutex called Jobaka3 and exits if the attempt fails. Systems Affected: Windows 2000, Windows Server 2003, Windows XP Symantec Security Response has developed a removal tool to clean the infections of .Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |