| Description:
|
Details
Worm.Win32.Lemoor.a
This worm spreads via the Internet, propagating via a vulnerability in the FTP server of Worm.Win32.Sasser.
Only computers which have already been infected by Sasser are vulnerable to Lemoor.
Lemoor is written in Assembler, and is packed using FSG. The packed file is 1985 bytes in size, and the unpacked file is approximately 20992 bytes in size.
Installation
When lanuching, the worm registers itself in the sytem registry, to ensure that it is run each time the system is launched:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
[Ephemeral 2.4] by TreeHugger, =
Propagation
The worm sends a broadcast quest and waits for responses from machines infected by Sasser.
When it receives an answer from a victim machine, it utilizes a vulnerability in the FTP server installed by Sasser to launch its command shell on a randomly chosen port. It then sends its body to the victim machine and launches it.
Other
The worm is only programmed to propagate: it does not have any other payload. |
