Content

W32/Nirbot.worm!RpcDns

Type
Internet Worm
SubType
Internet Relay Chat Worm
Discovery Date
04/16/2007
Length
Varies
Minimum DAT
5011 (04/17/2007)
Updated DAT
5053 (06/14/2007)
Minimum Engine
5.1.00
Description Added
04/16/2007
Description Modified
04/16/2007 9:06 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server. More information regarding this vulnerability can be found at:

For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

Symptoms

  • Unusual network activity, specifically IRC traffic.
  • Unexpected internal HTTP traffic over non-standard ports.
  • Unusual DNS queries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated

    • For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Method of Infection

    This W32/Nirbot.worm variant scans for vulnerable machines on the network, and uses the same vulberabilities as W32/Nibot.worm.gen plus the new RPC vulnerability.

    For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

    • W32/Nirbot.worm!83E1220A

    All Information

    Overview -

    W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Characteristics

    Characteristics -

    This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server. More information regarding this vulnerability can be found at:

    For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Symptoms

    Symptoms -

  • Unusual network activity, specifically IRC traffic.
  • Unexpected internal HTTP traffic over non-standard ports.
  • Unusual DNS queries. Some variants have been observer sending DNS quesries for various non existant domains to verify the connection to a real DNS server to prevent research in simulated

    • For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Method of Infection

    Method of Infection -

    This W32/Nirbot.worm variant scans for vulnerable machines on the network, and uses the same vulberabilities as W32/Nibot.worm.gen plus the new RPC vulnerability.

    For more details on these variants, please refer to W32/Nirbot.worm!83E1220A.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

    • W32/Nirbot.worm!83E1220A