Content
W32/Stdbot.worm.b
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 05/18/2004
- Length
- 18,976 bytes
- Minimum DAT
- 4362 (05/19/2004)
- Updated DAT
- 4362 (05/19/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 05/18/2004
- Description Modified
- 05/18/2004 6:36 PM (PT)
Tab Navigation
Characteristics
An increase in traffic on port 5000 has been reported to AVERT recently. This is due to a new worm variant detected as W32/Stdbot.worm.b using the above specified DATs and engine.
This worm exploits the following vulnerabilities to replicate itself:
- IIS 5.0 WebDAV3 exploit (MS03-007) scans port 80
- Universal UPnP exploit (MS03-049 ) scans port 5000 for this vulnerability
- Utilizes the backdoor opened by W32/Kuang and W32/Bagle@MM
- Utilizes the Sasser FTP server
- LSASS exploit (MS04-011)
- RPC Interface Buffer overflow (MS03-026)
- Buffer Overrun in Messenger Server (MS03-043)
The worm then starts an FTP server on port 7955 to download the worm and execute it on the victim's machine. The following filenames may be used:
- KillBush.exe
- bottler.exe
- bot.exe
The worm tries to connect to a channel in the following IRC server to await commands from the attacker:
- irc.nugs.us:6667
It also opens a backdoor on the infected machine on port 420.
Symptoms
- Unusual traffic on port 5000
- Presence of the above filenames
Method of Infection
The worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Kibuv.B (Symantec)
Characteristics
Characteristics -
An increase in traffic on port 5000 has been reported to AVERT recently. This is due to a new worm variant detected as W32/Stdbot.worm.b using the above specified DATs and engine.
This worm exploits the following vulnerabilities to replicate itself:
- IIS 5.0 WebDAV3 exploit (MS03-007) scans port 80
- Universal UPnP exploit (MS03-049 ) scans port 5000 for this vulnerability
- Utilizes the backdoor opened by W32/Kuang and W32/Bagle@MM
- Utilizes the Sasser FTP server
- LSASS exploit (MS04-011)
- RPC Interface Buffer overflow (MS03-026)
- Buffer Overrun in Messenger Server (MS03-043)
The worm then starts an FTP server on port 7955 to download the worm and execute it on the victim's machine. The following filenames may be used:
- KillBush.exe
- bottler.exe
- bot.exe
The worm tries to connect to a channel in the following IRC server to await commands from the attacker:
- irc.nugs.us:6667
It also opens a backdoor on the infected machine on port 420.
Symptoms
Symptoms -
- Unusual traffic on port 5000
- Presence of the above filenames
Method of Infection
Method of Infection -
The worm spreads by exploiting various vulnerability of Microsoft windows and backdoors opened by some worms.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
