Discovered: August 2, 2003
Updated: February 13, 2007 12:04:23 PM
Also Known As: Win32.RPC.A [CA], Worm.Win32.Autorooter.a [KAV], Backdoor.IRCBot.gen [KAV], Exploit.Win32.DCom.b [KAV], Downloader-DM [McAfee], W32/Lolol.worm.gen [McAfee], Exploit-DcomRpc [McAfee]
Type: Trojan Horse
Systems Affected: Windows 2000, Windows NT, Windows XP
Backdoor.IRC.Cirebot is a Trojan Horse that exploits the Microsoft DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) by installing a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component and a Hacktool component, which installs the backdoor on systems that are vulnerable to the exploit.
Some signs of infection may include:
- The existence of the file C:\Rpc.exe, C:\Rpctest.exe, or C:\Lolx.exe. This could indicate that the computer has been infected.
- Traffic on port 445 to sequential IP addresses, which can indicate that the network is being attacked.
- An open port 57005 and an FTP connection on port 69 can indicate that the attack was successful, allowing access to a remote shell and the downloading of the backdoor.
Protection
-
Initial Rapid Release version August 4, 2003
-
Latest Rapid Release version August 20, 2008 revision 017
-
Initial Daily Certified version August 4, 2003
-
Latest Daily Certified version August 20, 2008 revision 016
-
Initial Weekly Certified release date August 6, 2003
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: 0 - 49
-
Number of Sites: 0 - 2
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Moderate
Damage
Distribution
-
Distribution Level: Medium
Writeup By: Heather Shannon
