W32/Banwor.worm.dll, W32/Banwor.worm, Worm.Banwor
Category: Computer Worm
18 Dec 2004
The W32.Banwor is a backdoor worm capable of sending authentication information to a remote master and opening a backdoor on the compromised machine. It attempts to propagate by using the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.
W32.Banwor Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Banwor from your computer.
More details about W32.Banwor
Once executed in the infected system, the W32.Banwor program will create the files hwin16.dll, hwin32.dll, hwinsys32.dll, scan.exe, and syshost.exe in the C:\ Windows folder. It will then add to the registry subkey certain values to allow the security threat to execute when the system boots up. The gathered authentication details, such as usernames and passwords, IP addresses, clipboards contents and Outlook’s mail address, and mail server settings will be sent by the worm to the address [email protected]
It will then open an FTP server on the TCP port 21 and attempt to propagate by taking advantage of the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. This vulnerability is in a component of the Remote Procedure Call or RPC which deals with message exchange across TCP/IP.
Accordingly, an error occurs because of erroneous managing of malformed messages. This specific vulnerability has an effect on a DCOM interface with RPC that listens to RPC designated ports. This DCOM interface manages activation requests of DCOM objects sent by client systems to the server. When an attacker successfully exploits the vulnerability, he will be capable of running a code with Local system privileges on the compromised machine. According to some research, the attacker (the author or creator) will also be able to install programs, view, delete or change data, and create new accounts with complete and special privileges.