WORM_IRCBOT.ABJ

This worm has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It uses certain lists of user names and passwords to access password-protected shared files. It exploits software vulnerabilities to propagate to other computers across a network.

It listens on ports. It executes commands from a remote malicious user, effectively compromising the affected system.

It launches certain flood attacks against target sites. It does the said routine to prevent users from reaching these sites at a given time.

It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information. It logs a user's keystrokes to steal information.

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\windowsupdate.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Firewall Updater = windowsupdate.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Windows Firewall Updater = windowsupdate.exe

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
AllowUnqualifiedQuery = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PrioritizeRecordData = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TCP1320Opts = 3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
KeepAliveTime = dword:00023280

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastQueryTimeout = dword:000002ee

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastQueryTimeout = dword:000002ee

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BcastNameQueryCount = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
CacheTimeout = dword:0000ea60

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
Size/Small/Medium/Large = dword:00000003

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
LargeBufferSize = dword:00001000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SynAckProtect = dword:00000002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PerformRouterDiscovery = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnablePMTUBHDetect = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FastSendDatagramThreshold = dword:00000400

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
StandardAddressLength = dword:00000018

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultReceiveWindow = dword:00004000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultSendWindow = dword:00004000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
BufferMultiplier = dword:00000200

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
PriorityBoost = dword:00000002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
IrpStackSize = dword:00000004

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
IgnorePushBitOnReceives = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableAddressSharing = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
AllowUserRawAccess = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableRawSecurity = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DynamicBacklogGrowthDelta = dword:00000032

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FastCopyReceiveThreshold = dword:00000400

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
LargeBufferListDepth = dword:0000000a

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxActiveTransmitFileCount = dword:00000002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFastTransmit = dword:00000040

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
OverheadChargeGranularity = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SmallBufferListDepth = dword:00000020

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SmallerBufferSize = dword:00000080

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TransmitWorker = dword:00000020

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DNSQueryTimeouts = {hex values}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultRegistrationTTL = dword:00000014

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisableReverseAddressRegistrations = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
UpdateSecurityLevel = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DisjointNameSpace = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
QueryIpMatching = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
NoNameReleaseOnDemand = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnableDeadGWDetect = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnableFastRouteLookup = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFreeTcbs = dword:000007d0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxHashTableSize = dword:00000800

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
SackOpts = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
Tcp1323Opts = dword:00000003

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxDupAcks = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpRecvSegmentSize = dword:00000585

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpSendSegmentSize = dword:00000585

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DefaultTTL = dword:00000030

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxHalfOpen = dword:0000004b

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpMaxHalfOpenRetried = dword:00000050

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpTimedWaitDelay = dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxNormLookupMemory = dword:00030d40

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FFPControlFlags = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
FFPFastForwardingCacheSize = dword:00030d40

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxForwardBufferMemory = dword:00019df7

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxFreeTWTcbs = dword:000007d0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
GlobalMaxTcpWindowSize = dword:0007d200

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
EnablePMTUDiscovery = dword:00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
ForwardBufferMemory = dword:00019df7

HKEY_CURRENT_USER\Software\Microsoft\
OLE
Windows Firewall Updater = windowsupdate.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableRemoteConnect = N

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = dword:00000004

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
C:\\WINDOWS\\System32\\windowsupdate.exe = C:\WINDOWS\System32\windowsupdate.exe:*:Enabled:Windows Firewall Updater

Propagation

This worm uses the following lists of user names and passwords to access password-protected shared files:

• Administrator
• administrator
• administrador
• administrateur
• administrat
• admins
• admin
• staff
• computer
• owner
• student
• teacher
• wwwadmin
• guest
• default
• database
• oracle
• ADMINISTRATOR
• Administrator
• administrator
• fubar
• GUEST
• ADMIN
• PASSWORD
• SHARE
• ladeda
• FILES
• OWNER
• Owner
• ACCESS
• BACKUP
• SYSTEM
• SERVER
• pepsi
• LOCAL
• linux
• changeme
• Changeme
• temp123
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 654321
• 54321
• 11111111
• 88888888
• passwd
• database
• abc123
• oracle
• sybase
• 123qwe
• computer
• Internet
• super
• 123asd
• ihavenopass
• godblessyou
• enable
• 111111
• 121212
• 123123
• 1234qwer
• 123abc
• alpha
• patrick
• foobar
• Nilez
• devil
• netdevil
• net-devil
• 0wned
• owned
• irule
• netfuck
• fucked
• crash
• test123
• secret
• login
• mypc123
• admin123
• pw123
• mypass
• mypass123
• Matthew
• satan
• satanik
• satanic
• spaceman
• heaven
• 0wn3d
• killer
• hacker
• hax0r
• script
• scriptkiddie
• kiddie
• uwontguessme
• youwontguessme
• guessme
• xxxxx
• xxxxxx
• xxxxxxx
• xxxxxxxx
• xxxxxxxxx
• death
• testing
• 00000
• 000000
• academia
• academic
• accept
• account
• action
• adrian
• adrianna
• adult
• aerobics
• airplane
• alaska
• albany
• albatros
• albert
• alert
• alexande
• algebra
• alias
• aliases
• alice
• alicia
• alisa
• alison
• allison
• allow
• alphabet
• amadeus
• amanda
• amber
• america
• amorphou
• analog
• anarchis
• anarchy
• anchor
• andrea
• android
• andromac
• angela
• angerine
• angie
• animal
• animals
• anita
• annette
• anonymou
• answer
• anthrax
• anthropo
• anvils
• anything
• apollo13
• april
• ariadne
• arlene
• arrow
• arthur
• artist
• asian
• asshole
• athena
• atmosphe
• attack
• authoriz
• aztecs
• azure
• bacchus
• backdoor
• badass
• bailey
• banana
• bananas
• bandit
• banks
• barbara
• barber
• baritone
• bartman
• baseball
• basic
• bassoon
• batch
• batman
• beach
• beammeup
• beast
• beater
• beauty
• beaver
• becky
• beethove
• begin
• behead
• beloved
• beowulf
• berkeley
• berlin
• berliner
• beryl
• betsie
• betty
• beverly
• bible
• bicamera
• bigfoot
• binary
• bishop
• bitch
• bitmap
• bitnet
• black
• blonde
• blondie
• blood
• bloodaxe
• blowjob
• blues
• board
• boner
• boobs
• boyscout
• bradley
• brandi
• brandy
• bravo
• break
• breast
• brenda
• brian
• bridget
• broadway
• brothel
• brunette
• brute
• brutefor
• bulls
• bullshit
• bumbling
• burgess
• butch
• butthead
• californ
• camille
• campanil
• camping
• candi
• candy
• cantor
• captain
• capture
• cardinal
• caren
• carla
• carmen
• carol
• carole
• carolina
• caroline
• carrie
• carson
• cascades
• castle
• catherin
• catholic
• cathy
• cayuga
• cecily
• celtic
• celtics
• cerulean
• change
• charity
• charles
• charlie
• charming
• charon
• chemistr
• chess
• chester
• chris
• christin
• christy
• cigar
• cigarett
• cindy
• class
• classes
• classic
• claudia
• claymore
• cleavage
• clinton
• cluster
• clusters
• coast
• cocacola
• cocainco
• codename
• codeword
• coffee
• collins
• color
• combat
• comics
• commit
• commrade
• company
• computin
• comrade
• comrades
• condo
• condom
• connect
• connie
• conserva
• console
• continue
• cookbook
• cookie
• cooper
• copper
• corneliu
• correct
• counters
• country
• couscous
• cowboy
• crack
• crackpot
• cream
• create
• creation
• creature
• credit
• creosote
• cretin
• crime
• criminal
• cristina
• crystal
• cshrc
• customer
• cyber
• cyberpun
• cyberspa
• cynthia
• daemon
• daisy
• dancer
• daniel
• danielle
• danny
• dapper
• darkaven
• deathsta
• debbie
• deborah
• debug
• december
• default
• DEFAULT
• defoe
• delta
• deluge
• democrat
• denise
• dennis
• desiree
• desktop
• desperat
• develop
• device
• diamond
• diana
• diane
• diehard
• dieter
• digital
• dinosaur
• dipshit
• direct
• director
• dirty
• discipli
• disclose
• discover
• diskette
• disney
• display
• doctor
• dollar
• doom2
• doomii
• doomsday
• doonesbu
• doors
• download
• dragon
• drdoom
• drive
• drought
• duelist
• dulce
• duncan
• dungeon
• eager
• eagle
• earth
• easier
• eatme
• eddie
• edges
• edinburg
• edition
• education
• educatio
• edwin
• edwina
• egghead
• eiderdow
• eileen
• einsiein
• einstein
• elaine
• elanor
• electron
• elephant
• elizabet
• ellen
• email
• emerald
• emily
• emmanuel
• enemy
• engine
• engineer
• england
• english
• enter
• enterpri
• enzyme
• erenity
• erica
• erika
• erotic
• ersatz
• establis
• estate
• eternity
• euclid
• evelyn
• expert
• explode
• explore
• explorer
• explosiv
• extensio
• fairway
• faith
• falcon
• false
• family
• farad
• faraday
• felicia
• fender
• fermat
• ferrari
• fidelity
• field
• fight
• finite
• firewall
• fishers
• flakes
• float
• florida
• flower
• flowers
• foolproo
• football
• force
• foresigh
• forever
• format
• fornicat
• forsythe
• fourier
• foxtrot
• france
• frank
• freak
• freedom
• french
• friday
• friend
• friends
• frighten
• fryguy
• fucker
• fucking
• fuckme
• fuckyou
• fudge
• function
• fungible
• gabriel
• games
• gardner
• garfield
• gateway
• gatherin
• gauss
• george
• gertrude
• ghost
• gibson
• gigabyte
• ginger
• glacier
• golden
• golfer
• gorgeous
• gorges
• gosling
• gouge
• govermen
• grades
• graham
• grahm
• grand
• grant
• great
• green
• group
• gryphon
• guardian
• gucci
• guess
• guitar
• gumption
• guntis
• hacked
• hagar
• hallowee
• hamlet
• hamster
• handel
• handily
• handjob
• happenin
• hardcore
• harddriv
• harmony
• harold
• harvey
• haven
• hawaii
• headbang
• heathen
• heather
• hebrides
• heidi
• heinlein
• hello
• herbert
• heroin
• hewlett
• hexadeci
• hiawatha
• hibernia
• hidden
• highland
• hitler
• holly
• hollywoo
• homepage
• homer
• homework
• honey
• hooker
• hooters
• horny
• horrible
• horror
• horse
• horus
• hotdog
• hotel
• hunter
• hutchins
• hydrogen
• hyper
• hypertxt
• icecream
• illumina
• image
• imbrogli
• immortal
• imperial
• include
• india
• indian
• indiana
• indians
• ingres
• ingress
• ingrid
• innocuou
• input
• inside
• integer
• invent
• irene
• irishman
• jackie
• janet
• janice
• janie
• japan
• jasmin
• jeanne
• jenni
• jennifer
• jenny
• jerry
• jerusale
• jessica
• jester
• jewelry
• jixian
• joanne
• johndoe
• johnny
• joseph
• joshua
• journal
• joyce
• judith
• juggle
• juicy
• julia
• julie
• juliet
• jupiter
• karen
• karie
• karina
• katana
• kathleen
• kathrine
• kathy
• katina
• katrina
• kelly
• kermit
• kernel
• kerri
• kerrie
• kerry
• kevin
• keybord
• keyin
• keyword
• killthem
• kimberly
• kirkland
• kissmyas
• kitten
• klingon
• knife
• knight
• knightma
• known
• krista
• kristen
• kristi
• kristie
• kristin
• kristine
• kristy
• ladies
• ladle
• lakers
• lambda
• laminati
• laptop
• larkin
• larry
• laser
• laura
• lazarus
• lazer
• lebesgue
• leftwing
• legal
• leland
• leroy
• lesbian
• leslie
• letmein
• lewis
• lexluthe
• liberal
• library
• licker
• light
• lightsab
• limbaugh
• limited
• linda
• literatu
• lockout
• lockword
• logic
• loginwor
• logout
• lolopc
• loose
• lorin
• lorraine
• loser
• louis
• lovebug
• lover
• lucus
• lynne
• machine
• macintos
• macro
• maggot
• magic
• magnet
• maint
• malcolm
• malcom
• manager
• marci
• marcy
• maria
• mariens
• marietta
• marijuan
• marines
• markus
• marni
• marriage
• marty
• marvin
• mason
• master
• maurice
• meagan
• megabyte
• megadeth
• megan
• melissa
• mellon
• melrose
• member
• memory
• menace
• mercury
• merlin
• metal
• metalhea
• metalica
• michael
• michel
• michelan
• michele
• michelle
• mickey
• micro
• microchi
• micropro
• microsof
• midieval
• minimum
• minsky
• misfit
• mission
• modem
• mogul
• moguls
• monday
• monica
• moose
• morley
• morris
• mortal
• mortalco
• mortgage
• mosaic
• mountain
• mouse
• movie
• movies
• mozart
• msdos
• muppets
• mutant
• nagel
• nancy
• napoleon
• nepenthe
• neptune
• netscape
• network
• newborn
• newsgrou
• newton
• newyork
• nicole
• nicotine
• night
• nightmar
• nintendo
• nnaacp
• noble
• nobody
• noreen
• notes
• novel
• november
• noxious
• nuclear
• nukem
• number
• nutritio
• nyquist
• obscurit
• oceanogr
• ocelot
• office
• oldage
• olivetti
• olivia
• omega
• opening
• openlock
• opensesa
• operator
• orient
• orwell
• oscar
• osiris
• outdoors
• outlaw
• output
• outside
• oxford
• pacific
• packard
• packer
• painless
• paint
• pakistan
• pamela
• paper
• papers
• pascal
• passphra
• paste
• patricia
• patriot
• patty
• paula
• peanuts
• pecker
• pencil
• penelope
• penguin
• penis
• penname
• pentagon
• pentagra
• penthous
• pentium
• peoria
• pepper
• percolat
• perfect
• permit
• persimmo
• persona
• pervert
• peter
• philip
• phoenix
• phone
• photon
• phrack
• phrase
• phreak
• phuck
• pierre
• pinname
• pizza
• plane
• playboy
• plover
• pluto
• plymouth
• poetry
• police
• polly
• polynomi
• ponderin
• porno
• porsche
• poster
• power
• praise
• precious
• prelude
• presto
• prince
• princeto
• printer
• private
• privs
• proceed
• processo
• professo
• profile
• program
• prompt
• protect
• protozoa
• psycho
• psychopa
• public
• pumpkin
• puneet
• punisher
• puppet
• pussy
• quebec
• qwert
• qwerty
• rabbit
• rachel
• rachelle
• rachmani
• rainbow
• raindrop
• raleigh
• random
• rascal
• razor
• reagan
• reality
• really
• reaper
• rebal
• rebecca
• rebel
• record
• reddawn
• redhead
• referenc
• regional
• release
• remote
• renee
• report
• republic
• resistan
• reveal
• rhino
• riffraff
• right
• rightwin
• ripple
• roach
• robert
• robin
• robot
• robotics
• robyn
• rochelle
• rocheste
• rocky
• rockyhor
• rodent
• rolex
• romano
• romeo
• romulan
• ronald
• rosebud
• rosemary
• roses
• rough
• rubber
• ruben
• rules
• running
• salami
• samantha
• sample
• sandra
• sandy
• sarah
• saturday
• saturn
• saxon
• scamper
• scheme
• school
• schoolsucks
• scifi
• scorpion
• scott
• scotty
• scout
• search
• security
• sensor
• sentinel
• sentry
• serenity
• serial
• service
• sesame
• shannon
• sharc
• shark
• sharks
• sharon
• sheffiel
• sheldon
• shell
• sherri
• shift
• shirley
• shitpot
• shiva
• shivers
• short
• shuttle
• sierra
• signatur
• silver
• simcity
• simon
• simple
• simpsons
• simulati
• singer
• single
• skull
• slave
• slick
• sliders
• small
• smart
• smile
• smiles
• smooch
• smother
• snach
• snafu
• snake
• snatch
• snoopy
• social
• socrates
• sodomy
• software
• somebody
• sondra
• sonia
• sonic
• sonya
• sossina
• source
• south
• spaceshi
• sparrows
• spear
• spell
• spice
• spider
• spiderma
• spred
• spring
• springer
• spunk
• squires
• stacey
• staci
• stacie
• stacy
• starship
• start
• startrek
• startup
• starwars
• steak
• steal
• steel
• steph
• stephani
• stereo
• steve
• stoneage
• stoned
• stones
• strange
• strangle
• stratfor
• streetfi
• string
• strip
• student
• stuttgar
• subscrib
• subway
• success
• suckmydi
• sucks
• summer
• sunday
• superman
• superson
• supersta
• superuse
• supervis
• support
• supporte
• surfer
• surfing
• susan
• susanne
• susie
• suzanne
• suzie
• swearer
• sweat
• switch
• sword
• sybil
• symmetry
• sysadmin
• sysop
• tabasco
• tamara
• tamie
• tammy
• tangerin
• tango
• target
• tarragon
• taylor
• teacher
• teapot
• tears
• teenage
• telephon
• telnet
• temptati
• tennis
• terminal
• terminat
• tetris
• thailand
• theresa
• thursday
• tiffany
• tiger
• toggle
• token
• tokenrin
• tomato
• topograp
• tortoise
• toxic
• toyota
• traci
• tracie
• tracy
• trails
• transfer
• trapdoor
• trisha
• trivial
• trojan
• trombone
• truth
• tubas
• tuesday
• tuttle
• umesh
• uncle
• unhappy
• unicorn
• uniform
• universa
• universe
• universi
• unknown
• unlock
• upload
• uranus
• urchin
• ursula
• usenet
• usermane
• username
• utility
• vagina
• valerie
• vampire
• vasant
• venus
• veronica
• vertigo
• vicky
• victor
• video
• videogam
• village
• virgin
• virginia
• virus
• visitor
• visual
• visualba
• vodka
• warez
• warfare
• wargames
• warren
• watchwor
• water
• webpage
• wednesda
• weenie
• wendi
• wendy
• werewolf
• western
• whatever
• whatnot
• whisky
• white
• whiting
• whitney
• wholesal
• whore
• william
• williams
• willie
• wilma
• windows
• winston
• wired
• wisconsi
• wiseass
• within
• wizard
• wolverin
• woman
• wombat
• women
• woodwind
• wordperf
• wormwood
• wyoming
• xmodem
• xyzzy
• yankee
• yellow
• yellowst
• yolanda
• yosemite
• young
• zebra
• zeitgeis
• ziggy
• zimmerma
• zmodem
• zombie
• 00000000
• tester
• testin
• Rosco
• RoscoP
• RoscoPColtrane
• dudette
• Alexander
• donaldduck
• wileecoyote
• windowz
• windoze
• windose
• billy
• WindowsXP
• windows2k
• windowsME
• windows98
• windows95
• windozexp
• windoze2k
• windozeME
• windoze98
• windoze95
• wh0r3
• wh0re
• haxing
• h4x1ng
• h4x0r1ng
• h4x0ring
• albatross
• amorphous
• andromache
• anthropogenic
• atmosphere
• beethoven
• bicameral
• campanile
• catherine
• chemistry
• christina
• christine
• commrades
• cornelius
• desperate
• discovery
• edinburgh
• eiderdown
• elizabeth
• enterprise
• establish
• extension
• foolproof
• foresight
• happening
• imbroglio
• innocuous
• lamination
• macintosh
• nutrition
• oceanography
• percolate
• persimmon
• polynomial
• pondering
• princeton
• professor
• rachmaninoff
• rochester
• sheffield
• signature
• stephanie
• stratford
• stuttgart
• superstage
• superuser
• supported
• tangerine
• telephone
• temptation
• topography
• wholesale
• williamsburg
• wisconsin
• yellowstone
• zimmerman

It exploits the following software vulnerabilities to propagate to other computers across a network:

• MS03-039 Buffer Overrun In RPCSS Service

Backdoor Routine

This worm listens on the following port(s):

• TCP port 4003

It connects to any of the following IRC server(s):

• {BLOCKED}.pwnz.org

It executes the following commands from a remote malicious user:

• Download and execute files
• Send files
• Launch DDOS attack
• Terminate antivirus/firewall processes
• Obtain certain system information

Denial of Service (DoS) Attack

This worm launches the following types of flood attack against target sites:

• Ping Flood
• SYN Flood
• UDP Flood

Information Theft

This worm targets the following websites:

• e-gold
• PayPal
• StormPay
• Vodafone
• Poste Italiane
• Yahoo!
• Banca Sella
• Bank Of America
• Benvenuto a gmail
• banca
• poker
• rapidshare

It steals CD keys, serial numbers, and/or the application product IDs of certain software.

It logs a user's keystrokes to steal information.