WORM_WOOT.BJ

Discussion in 'malware problems & news' started by Randy_Bell, Oct 22, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_WOOTBOT.BJ is a non-destructive worm that takes advantage of the Windows LSASS vulnerability in order to propagate. It drops a copy of itself into default shared folders of unpatched machines. It steals the CD keys of popular game applications, Microsoft Windows Product IDs, and Yahoo Messenger IDs. It updates itself by creating the file 1.BAT and executing it afterwards. This batch file downloads a copy of the worm from the Internet and then executes it on the compromised system. This worm is currently spreading in-the-wild and infecting systems that are running on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this worm drops a copy of itself as SERVICED.EXE in the Windows system folder. It executes its dropped copy and then deletes itself afterwards. It then adds several registry entries, that allow it to run automatically at every system startup.

    This worm exploits the Windows LSASS vulnerability to propagate. This vulnerability is a buffer overrun that allows remote code execution and allows an attacker to gain full control of infected systems. This vulnerability is discussed in more detail on the Trend Micro Security Advisories page.

    This worm copies and executes itself on vulnerable systems and searches for the following default network shares:

    * ADMIN$
    * C$
    * D$
    * IPC$

    It steals Microsoft Windows Product IDs and Yahoo Messenger IDs, as well as the CD keys of the following popular games:

    * Battlefield 1942
    * Battlefield 1942: Secret Weapons Of WWII
    * Battlefield 1942: The Road To Rome
    * Battlefield 1942: Vietnam
    * Black and White
    * Command and Conquer: Generals
    * Command and Conquer: Generals: Zero Hour
    * Command and Conquer: Red Alert2
    * Command and Conquer: Tiberian Sun
    * Counter-Strike
    * FIFA 2002
    * FIFA 2003
    * Freedom Force
    * Global Operations
    * Gunman Chronicles
    * Half-Life
    * Hidden and Dangerous 2
    * IGI2: Covert Strike
    * Industry Giant 2
    * James Bond 007: Nightfire
    * Medal of Honor: Allied Assault
    * Medal of Honor: Allied Assault: Breakthrough
    * Medal of Honor: Allied Assault: Spearhead
    * Nascar Racing 2002
    * Nascar Racing 2003
    * Need For Speed: Hot Pursuit 2
    * Need For Speed: Underground
    * Neverwinter Nights
    * NHL 2002
    * NHL 2003
    * Ravenshield
    * Shogun: Total War: Warlord Edition
    * Soldier Of Fortune 2
    * Soldiers Of Anarchy
    * The Gladiators
    * Unreal Tournament 2003
    * Unreal Tournament 2004

    This worm appears to possess backdoor capabilities. It updates itself by creating and executing the file 1.BAT. which downloads a copy of the worm from the Internet and then executes it on the compromised system.

    If you would like to scan your computer for WORM_WOOTBOT.BJ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_WOOTBOT.BJ is detected and cleaned by Trend Micro pattern file 2.206.00 and above.
     
Thread Status:
Not open for further replies.