Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Polybot.l!irc Worm

03/08/04 - W32/Polybot.l!irc

This variant belongs to a family of IRC bots based on W32/Gaobot.worm group. The worm bears the following characteristics:

Spreads through shares
Stealthy and hides itself in memory. The file is deleted.
Connects to IRC servers to perform various functions
Terminates security services
Carries out Denial of Service attack
Modifies hosts file on infected system
May spread through MS03-026 vulnerability
For advice on detection and removal please see the Removal Instructions .

Share Propagation

The worm attempts to spread through default administrative shares:

e$
d$
c
print$
c$
admin$
The worm contains a list of common user-names and passwords. This list contains typical poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

pw
mypass
mypc
love
pwd
poiuytrewq
zxcvbnm
admin123
qwerty
red123
password123
abc123
qwertyuiop
z
secrets
homework
porn
baby
werty
mybox
school
work
metal
leet
pussy
vagina
mybaby
asdfghjkl
xxyyzz
69
private
test123
penis
kids
supersecret
superman
Login
xxx
zxcv
yxcv
secret
foobar
god
sex
pat
patrick
alpha
007
123abc
1234qwer
123123
121212
111111
110
2600
2002
enable
godblessyou
ihavenopass
123asd
super
123qwe
sybase
oracle
abcd
pass
88888888
11111111
00000000
000000
111
54321
654321
123456789
12345678
1234567
123456
12345
box
Box
BOX
666
PHP
ASP
changeme
fish
feds
UNIX
linux
devil
PASSWD
passwd
crash
own
pwned
CNN
wh0re
whore
backdoor
2004
Internet
idiot
gay
fucked
BACKUP
ACCESS
SERVER
LOCAL
SYSTEM
TEST
ROOT
r00t
share
TEMP
noob
rooted
ADMINISTRATOR
lol
owned
dude
hax
windoze
windows98
windowsME
windows2k
WindowsXP
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
!@#$
1234
123
12
Password
password
Admin
103015
student
teacher
database
mysql
OWNER
xp
computer
admins
mary
owner
wwwadmin
root
OEM
qwer
asdf
win
temp
pc
home
Dell
xyz
x
abc
aaa
Inviter
Gast
Guest
Test
server
user
Owner
administrador
User
Standard
mgmt
Convidado
Default
administrator
admin
kanri-sha
kanri
Ospite
Verwalter
Administrador
Coordinatore
Administrateur
Administrator

More info on this worm:
http://vil.nai.com/vil/content/v_101100.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101100.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top