Jeff (jeffsworld) wrote in prog_threats,
Jeff
jeffsworld
prog_threats

W32.Gaobot.YN, W32.HLLW.Donk.M

W32.Gaobot.YN

W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:

  • The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
  • The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
  • The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80

W32.Gaobot.YN is packed with UPX and IHMOWrap3.

W32.HLLW.Donk.M

W32.HLLW.Donk.M is a network-aware worm. It attempts to connect to a predetermined IRC server to get instructions from the attacker.

This variant may be compressed with PeX.
Subscribe
  • Post a new comment

    Error

    Comments allowed for members only

    Anonymous comments are disabled in this journal

    default userpic
  • 0 comments