W32/Reatle@MM Worms - Medium Risk by F-Secure
This detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:
1. Contains its own SMTP engine for mailing itself outgoing messages have spoofed From: address
2. Attempts to propagate to remote machines via two old exploits:
MS03-026 - DCom RPC
MS04-011 - LSASS
3. Attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.) The worm attempts to download a binary via a URL hardcoded in its body.
4. In addition the worm opens a backdoor on TCP port 8885.
5. Administrators should block access to the following domain ... Please do not go to this malicious site:
h t t p : / / j 0 r . b i z
6. Attachment names in the EMAIL message
The attachment is a copy of the worm, with one of the following filenames:
payment.doc (many spaces) .scr
about.doc (many spaces) .bat
help.doc (many spaces) .exe