Discovered: March 10, 2003
Updated: February 13, 2007 11:43:57 AM
Also Known As: W32/Deborm.worm [McAfee], Worm.Win32.Deborm.q [KAV], Worm.Win32.Deborm.r [KAV], TROJ_DROPPERFL.A [Trend], W32/Deborm-Q [Sophos], W32/Deborm-R [Sophos], Win32.Deborm.Q [CA], Win32.Deborm.R [Sophos], Win32.Deborm.S [Sophos]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.HLLW.Nebiwo is a worm that attempts to connect to your computer using TCP port 445. If successful, the worm copies itself to a set of paths that are hard-coded into the worm, so that it runs when you start Windows.
W32.HLLW.Nebiwo also drops Trojan Horses, such as
Backdoor.Sdbot,
Backdoor.Litmus (2), and
Trojan.KillAV.
The worm is written in Microsoft Visual C++ and is packed with UPX or ASPack.
NOTE: Virus definitions dated April 15, 2003 and later contain an updated W32.HLLW.Nebiwo detection.
Protection
-
Initial Rapid Release version March 10, 2003
-
Latest Rapid Release version March 3, 2008 revision 035
-
Initial Daily Certified version March 10, 2003
-
Latest Daily Certified version June 17, 2008 revision 017
-
Initial Weekly Certified release date March 12, 2003
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Medium
-
Number of Infections: 50 - 999
-
Number of Sites: More than 10
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Moderate
Damage
Distribution
-
Distribution Level: Medium
Writeup By: Kaoru Hayashi
