Monthly newsletter Weekly news roundup Breaking news notification      

Sophos warns about Raleka worm

Sophos has issued a warning about a new worm. The Raleka worm appears in various guises and uses the Microsoft DCOM RPC vulnerability to propagate across a network.

According to Sophos, the worm will attempt to connect to vulnerable computers and upload and execute the following files:
svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe
Svchost.exe is a copy of the worm itself.
Ntrootkit.exe is a copy of the backdoor Trojan Troj/RtKit-11.
Ntrootkit.reg is a file used to run Troj/RtKit-11 on Windows XP systems.
Service.exe is a legitimate utility.

The worm will attempt to download and install the Microsoft patch for the DCOM RPC vulnerability.

Raleka includes backdoor functionality. The worm will attempt to contact IRC servers and await instructions from a remote attacker.

For more details visit www.sophos.com/virusinfo/analyses/w32ralekab.html

Date: 2nd September 2003 • Region: Worldwide Type: Article •Topic: Warnings
Rate this article or make a comment - click here


Copyright 2003 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help