W32/Raleka-B

Aliases	W32.HLLW.Raleka Win32/Raleka.A Worm.Win32.Raleka.b
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	28 September 2003 09:47:19 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Raleka-B is a network worm which uses the Microsoft DCOM RPC vulnerability to propagate across a network.

The worm will attempt to connect to vulnerable computers and upload and execute the following files:
svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe

Svchost.exe is a copy of the worm itself.
Ntrootkit.exe is a copy of the backdoor Trojan Troj/RtKit-11.
Ntrootkit.reg is a file used to run Troj/RtKit-11 on Windows XP systems.
Service.exe is a legitimate utility.

The worm will attempt to download and install the Microsoft patch for the DCOM RPC vulnerability.

W32/Raleka-B includes backdoor functionality. The worm will attempt to contact IRC servers and await instructions from a remote attacker.

Microsoft has issued a patch for the vulnerability exploited by this worm. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Raleka-B

Summary

Action

More Information