W32/Akbot-AE is a worm and backdoor Trojan for the Windows platform.
The worm attempts to spread by copying itself to remote network shares or by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), SRVSVC (MS06-040) and ASN.1 (MS04-007).
W32/Akbot-AE provides a remote attacker with a command prompt on the infected computer. Backdoor functionality of the worm includes the ability to download further code and to carry out denial-of-service attacks.
When first run W32/Akbot-AE copies itself to <System>\transys.dll.
A registry entry may be created under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run transys.dll on startup.
W32/Akbot-AE modifies the system hosts file, preventing access to the following websites by setting them to the loopback address:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
kaspersky-labs.com
www.kaspersky.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
pandasoftware.com
www.pandasoftware.com
www.trendmicro.com
www.grisoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
www.virustotal.com
virustotal.com
www.ahnlab.com
suc.ahnlab.com
auth.ahnlab.com
ahnlab.com