5/31: Poebot-LP Worm Uses Weak Passwords to Spread
W32/Poebot-LP is a worm for the Windows platform.
The worm spreads through network shares protected by weak passwords and through operating system vulnerabilities such as LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), SRVSVC (MS06-040) and Dameware (CAN-2003-1030).
The backdoor component of W32/Poebot-LP connects to a predefined IRC server and awaits commands from remote attackers. The backdoor component of W32/Poebot-LP can be instructed by a remote user to perform the following functions:
- start an FTP server
- start a proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- packet sniffing
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steals information from the Protected Storage Area
- steal product registration information from certain software
More information can be found at this Sophos page.