Worm.Win32.Zindos
Details
Worm.Win32.Zindos.a
This worm spreads via the Internet using machines infected by I-Worm.Mydoom.m and penetrates victim machines via the backdoor installed by Mydoom.m
It is also programmed to conduct a DoS attack on www.microsoft.com.
The worm is approximately 5760 bytes in size and packed using UPX.
Installation
When launched, the worm copies itself under a random name to the system’s temporary directory. It registers this file in the system registry, thus ensuring the worm file will be launched each time Windows is started.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Tray”=worm file name
The worm randomly generates an IP address and will attempt to connect to this address via TCP port 1034 (the port opened by Mydoom.m). If a connection is established, the worm will send itself to the victim machine.
DoS attack
The worm sends multiple URLDownloadToCacheFile requests to the Microsoft corporate site.
Related Posts