Details
Worm.Win32.Slackor

This is a multi-component network worm. The worm spreads over shared network resources. The worm has bugs and has a little chance to spread over networks.
The worm’s components are:
cnn3.exe – the main component (Win32 EXE file about 350K of size)
abc.bat – BAT file (about 1344 bytes)
main.exe – trojan component (Win32 EXE file, 53280 bytes)
psexec.exe – remote execution utility (not a virus/trojan, Win32 EXE file, 122880 bytes)
slacke-worm.exe – searches for network addresses (Win32 EXE files, 25K/28K depending on worm version)

The main worm component is “trojan dropping” utility and is detected as “TrojanDropper.Win32.Yabinder”.
On run it creates the “C:\sp” subdirectory, drops and executes following files in there:
C:\sp\abc.bat
C:\sp\main.exe
C:\sp\psexec.exe
C:\sp\slacke-worm.exe

The “main.exe” component is the backdoor trojan, and it is detected as “Backdoor.SdBot”.
The “slacke-worm.exe” component looks for network resources and tries to copy and activate worm copy in there with a help of two other components:
abc.bat – tries to connect to a remote resource by trying a set of logins and passwords
psexec.exe – is used to run remote worm copy on remote computer.

Related Posts

This entry was posted on Saturday, August 30th, 2008 at 3:50 pm and is filed under Virus Threats.