Port No | 80 |
Service Name | APC |
RFC Doc | 0 |
Protocol | TCP |
Description | This worm arrives as WINSLOGON.EXE on target machines. It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' default shares. If the said shares are inaccessible, it uses gathered lists of user names and passwords as its login credential to gain access.
It connects to an IRC server and joins a specific IRC channel, where it listens for commands from a remote malicious user. It then executes the said commands locally on affected machines. It is capable of automatically notifying bots of systems vulnerable to the following Windows exploits: The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026. The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011. This worm is capable of stealing CD keys, serial numbers, and even application product IDs of popular software products. It performs a denial of service attack against target sites. It terminates antivirus, firewall, and system-related processes as well as prevents access to a list of sites to avoid detection. |
Reference Link | APC |
Attack | Solution: This procedure terminates the running malware process. Open Windows Task Manager. ยป On Windows NT, 2000, and XP, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the process: winslogon.exe Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.