Worm.Win32.Slackor

Class Worm
Platform Win32
Description

Technical Details

This is a multi-component network worm. The worm spreads over shared network resources. The worm has bugs and has a little chance to spread over networks.

The worm’s components are:

 cnn3.exe   - the main component (Win32 EXE file about 350K of size)
 abc.bat    - BAT file (about 1344 bytes)
 main.exe   - trojan component (Win32 EXE file, 53280 bytes)
 psexec.exe - remote execution utility (not a virus/trojan, Win32 EXE file, 122880 bytes)
 slacke-worm.exe - searches for network addresses (Win32 EXE files, 25K/28K depending on worm version)

The main worm component is “trojan dropping” utility and is detected as
“TrojanDropper.Win32.Yabinder”.

On run it creates the “C:sp” subdirectory, drops and executes following files in there:

 C:spabc.bat
 C:spmain.exe
 C:sppsexec.exe
 C:spslacke-worm.exe

The “main.exe” component is the backdoor trojan, and it is detected as “Backdoor.SdBot”.

The “slacke-worm.exe” component looks for network resources and tries to copy and activate worm copy in there with a help of two other components:

 abc.bat - tries to connect to a remote resource by trying a set of logins and passwords
 psexec.exe - is used to run remote worm copy on remote computer.