WORM_XMS.A

WORM_XMS.A propagates via the Kazaa peer-to-peer file sharing network. It does this by creating a folder where it drops multiple copies of itself and then shares the folder over the Kazaa network. This worm leaves infected systems vulnerable to unauthorized access by dropping and executing a backdoor server program.

This peer-to-peer worm runs on Windows 95, 98, NT, 2000, ME, and XP.

Upon execution, this worm drops a copy of itself named XMS32.EXE in the Windows system directory.

If the Kazaa utility is installed in the infected system, the malware creates the directory, %Windows%\sCache32. Then, it drops multiple copies of itself in this directory with any of 82 possible names. It sets the attributes of these copies to hidden. It also adds a random amount of garbage data to the end of each copy so that the file size of each is different from the others. It typically takes several minutes for the malware to generate all of its copies, which results in performance degradation of the infected system.

This malware drops and executes a file, SYSTEM32.EXE, in the Windows system directory. This is a backdoor server program that compromises system security by opening the infected system to remote access. Trend Micro detects this malware as BKDR_RAMDAM.A. Once running, this program listens and waits for connection attempts from a remote user, using the client component of the backdoor program. It receives IRC commands from the remote user to connect to other IRC servers, causing the affected system act like a bot. After dropping BKDR_RAMDAM.A, the malware terminates.

If you would like to scan your computer for WORM_XMS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_XMS.A is detected and cleaned by Trend Micro pattern file #521 and above.