This worm spreads by dropping a copy of itself in a list of accessible network shares. If the said network shares are password-protected, it then uses a hardcoded list of user names and passwords to gain access.

It also opens random ports and connects to an Internet Relay Chat (IRC) server, where it awaits for commands from a remote malicious user. It then executes the said commands locally on affected machines.

It also steals various CD keys of popular games installed on affected machines and user login accounts from Paypal, Hotmail and FlashFXP.

It attempts to steal user login accounts of various applications and the CD key of the online game, World of Warcraft. TREND MICRO - Security Information: WORM_SPYBOT.AKL

Linked by shanmuga Sunday, 23rd October 2005 9:46PM