Winxor.A

[Mobo]

Winxor.A is the first malicious code designed to exploit a vulnerability in
the WINS service, which allows arbitrary code to be run on Windows
2003/XP/2000/NT/Me/98/95 servers. Winxor.A can also affect computers running
Windows 2003/XP/2000/NT/Me/98/95.

Winxor.A connects to an IRC server and waits for control commands (such as
download files or run programs). When the author of this malicious code
specifies, Winxor.A scans IP addresses in order to find open ports. If these
belong to servers that are affected by this security flaw, it installs an
FTP server in port 36010 and uses it to transfer itself to these computers.

When it has reached a computer, Winxor.A carries out the following actions:

- It creates two files: CCEVTMNGR.EXE, which is a copy of itself, and
CCSETMNGR.EXE, which is a component that looks for remote computers affected
by the vulnerability in the WINS service in order to try and exploit it.

- It generates several entries in the Windows Registry in order to ensure it
is run whenever the computer is started and thereby, register as a Windows
service.

Breacuk.E is a worm that spreads via the P2P (peer-to-peer) file sharing
program KaZaA. To do this, it follows the routine below:

- It creates a directory called SOFTWARE KINGS AND QUEENS in the Windows
directory and shares it through KaZaA.

- In this directory it creates multiple copies of itself under attractive
names, so that other users download them, thinking that they are games or
other applications. However, when the downloaded file is run, the computer
will be infected by Breacuk.E.

Breacuk.E deletes files with certain extensions, including: EXE, DLL, OCX
and BMP, preventing certain applications from working correctly. What's
more, this malicious code causes problems on switching on the affected
computer.