high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 11 October 2004 10:26:02 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Rirc-D is a worm which spreads by copying itself to network shares at random IP addresses protected by weak passwords.
When first run, W32/Rirc-D copies itself to the Windows System folder as FF.EXE and appends its pathname to the shell= line in the [Boot] section of system.ini, so that it is run automatically each time Windows is started.
On versions of Windows NT, 2000 and XP the worm also appends its pathname to the following registry entry to run itself on startup:
HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Each time the worm runs it tries to connect to random IP addresses on port 139 and 445. If successful the worm tries to copy itself as XI.EXE to the following startup folders of shares:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
The worm attempts to logon to the Administrator account of remote computers using a list of 'weak' passwords and if the schedule service is active on the remote computer the worm schedules a new job to run the copy of the worm.
The worm also attempts to connect to a remote IRC server and join a specific channel. The worm then sends status information to this channel.
|
