Worm Win32 Zhelatin a
1. Summary:
Zhelatin is a windows worm spread through emails. The worm gathers all the email addresses from the victims computers.
It infects all *.exe and *.scr files found on the local drives.
Aliases:
CA: Win32/Luder.L
Kaspersky: Trojan-Proxy.Win32.Lager.dp
McAfee: Downloader-BAI.gen
Sophos: Mal/HckPk-A
Symantec: Trojan.Peacomm
2. Detailed description:
After it's execution Zhelatin creates following files in the windows system directory:
%SYSTEM%\alsys.exe (body of the wormu)
%SYSTEM%\wincom32.ini
%SYSTEM%\wincom32.sys
The „alsys.exe“ file has the „hidden“ atribut set, so that the user won't see it.
Worm modifies these keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Agent” = “%SYSTEM%\alsys.exe”
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“Agent” = “%SYSTEM%\alsys.exe”
This assures it's execution at the startup.
It also disables the Windows Firewall(„Windows Firewall/Internet Connection Sharing“), by modifying the following registry entries:
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = ""
[HKLM\System\ControlSet001\Services\SharedAccess]
"Start" = "4"
Zhelatin creates it's own mutex named „klllekkdkkd“ to prevent itself from running multiple times. If it finds the mutex already in memory by it's execution, it terminates.
Zhelatin also searches every 4 seconds for windows containing one of the following strings:
anti
avg
avp
blackice
firewall
f-pro
hijack
lockdown
mcafee
msconfig
nav
nod32
rav
regedit
spybot
taskmgr
troja
viru
vsmon
zonea
If the text is found, it immediately terminates the application .
Zhelatin infects all the files with the extension *.exe or *.scr, found on the local drives.
Before the infection, it checks some conditions (one of them is space between sections, where the infected code gets inserted).
If the worm finds a suitable file in a directory, it creates a file with random 8 character (a-z) name and a „.t“ (eg „gheuhsna.t“). This file has the hidden attribute set, so it won't get displayed.
Afterwards it writes a short piece of code from the *.t file into the destination *.exe or *.scr file. This code is supposed to run the body of the worm.
To make sure it won't infect the same file multiple times, it marks the header of the file with a „666“ string.
3. Infection by email:
Worm Zhelatin gets spread by sending an infected attachement to all the addresses found on the infected computer. Unusually, it connects straight to the reciever's SMTP server taken from the found email address.
Since the emails have a vast number of subject variations, I'll mention just a bunch of them:
5 Reasons I Love You
A Kiss for You
A Song to You
Against All Odds
All For You
Between Us
Dancing With You
Dinner Coupon
Dream Girl
Falling In Love with You
For You....My Love
Heart is Breaking
Hey Cutie
I Am Lost In You
I Dream of you
I Give to You
I Love You Soo Much
I Think of You
Just You & Me
Love You Deeply
Memories
Miracle of Love
Most Beautiful Girl
My Invitation
Our Love
Our Wedding Day
Sending Kiss
Thanks...Love
Thinking about you
Waiting for You
Want to Meet?
Will You?
You + Me
You and I
You Rock Me!
You're My Hero
The attachment is named from this list:
flash postcard.exe
greeting card.exe
greeting postcard.exe
postcard.exe
4. Cleaning:
- Rebootn the PC into the safe mode.
- If yo find the process „alsys.exe“ running (body of the wormu), kill it.
- Delete these files if they exist:
%SYSTEM%\alsys.exe
%SYSTEM%\wincom32.ini
%SYSTEM%\wincom32.sys
- delete the following keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Agent" = "%System%\alsys.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Agent" = "%System%\alsys.exe"
- Reboot the PC into normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 HLLM Graz
1. Summary:
Graz is a worm spreading through infected email, Peer-To-Peer (P2P) clients and ICQ protocol.
2. Detailed description:
After execution the worm Graz copies itself into the system directory under following names:
%SYSTEM%\ms[2 random characters].exe
%SYSTEM%\ms[2 random characters]32.dll
The DLL library gets registered in the keys:
[HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\ShellServiceObjectDelayLoad]
Afterwards it starts to sniff the traffic on the ports belonging to applications:
telnet
smtp
pop3
ftp
icq
irc
and steals passwords. It uses these passwords at first to spread (e.g. sending infected ICQ messages, infecting FTP accounts, etc.)
Graz worm tries to defend itself and therefore it blocks access to certain security related web sites. The complete list is very long, so I'll mention just some of them:
adware
alwil
avast
avp
bitdefender
ca.com
drweb
eset
gdata.de
grisoft
kasper
lavasoft
mcafee
messagel
microsoft
msn
norton
quickhea
secu
skynet
sophos
spy
symantec
tds3
trendmicro
update
virdet
webroot
It also searches, terminates and erases running security related processes and services like:
avgcc
ca
fw
ipatrol
jammer
kavpf
keypatrol
looknstop
netlimiter
opf
smc
sndsrvc
symlcsvc
vsmon
xeon
xfilter
zapro
zonealarm
Right after it finds and terminates such a process, it also removes it's registry entry and it's file as well.
The worm also installs a HTTP server on the victim's computer which is able to send the body of the worm (as a *.hta or *.zip file) upon demand (e.g. url from ICQ message).
Worm Graz uses in memory technique called rootkit and therefore is not visible using standard tools.
3. Sending by email:
As mentioned, Graz spreads through email with an infected attachment. The message looks like:
You have received Protected Mail from MSN.com user.
This message is addressed personally for you.
To decrypt your message use the following details:
ID: 25747
Password: qeopgelhk
Keep your password in a safe place and under no circumstances give it to ANYONE.
Protected Mail and instruction is attached.
Best Regards,
Protected Mail System,
MSN.com
The attachment looks like:
msg.zip
message.zip
data.zip
mail.zip
This archive is password protected. The password is mentioned in the body of the message. After unzipping the archive contains just 1 file which is the body of the worm. The name of the file is generated from 2 parts and tries to make some sense:
1st part:
Encrypted
Extended
Protected
Secure
2nd part:
E-Mail
Mail
Message
Html
The file has a *.hta extension, so the resulting name of the file looks like:
Encrypted Message.hta
Protected E-Mail.hta
4. Spreading via ICQ protocol:
Graz sniffs traffic and gathers user numbers (UIN) and ICQ account passwords. Afterwards it downloads contact list of the stolen account and sends a message to all contacts. The message might look like:
PopCap deluxe games absolutely free
you like PopCap deluxe games?Play them free and no limited
PopCap deluxe games without limit
I see your drive C:
you a hacked, look!
this is your local drives?not a joke:))
Then it offers a link to a page where a universal PopCap game key is supposed to be published.
5. Spreading by Peer-to-Peer networks:
Graz searches local hard drives for folders containing:
download
incom
share
upload
It then copies itself in there as a ZIP archive. The names of the files will look like:
3dsmax_9_(3D_Studio_Max).zip
ACDSee_9.zip
Adobe_Photoshop_10_(CS3) .zip
Adobe_Premiere_9_(2.0_pro) .zip
Ahead_Nero_8.zip
DivX_7.0.zip
ICQ_2006.zip
Internet_Explorer_7.zip
Kazaa_4.zip
Longhorn .zip
Microsoft_Office_2006.zip
winamp_5.2.zip
6. Cleaning:
This is not a simple infiltration, so I recommend using your favorite antivirus solution.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm – Win32 – Kapucen - b
1. Summary:
Kapucen.b is a 106kB sized worm that spreads using P2P (Peer-To-Peer) network.
Aliases:
eTrust: Win32.Puce.A
Kaspersky: Win32.HLLP.Rile.a
McAfee: W32/Puce
2. Detailed description:
After it's execution, the worm Kapucen.b copies itself into the temporary directory (TEMP) as:
%TEMP%\svchost.exe
It creates an entry called „WindowsServicesStartup“ in the „Run“ registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsServicesStartup" = "%TEMP%\svchost.exe 1"
Worm Kapucen.b creates a “log.txt” file in the current directory with text:
PRE-INSTALL v1.07 (C) pUcE Software 2006 Pre-install has checked your config. Everything is ok, you can now run the setup program Enjoy!
and opens the files in the NotePad.
3. Spreading by Peer-to-Peer networks:
Worm Kapucen.b searches the hard drives C, D and E for folders:
Archivos de programa\emule\incoming
Download
Incoming
My Downloads
My Shared Folder
Program Files\appleJuice\incoming
Program Files\BearShare\Shared
Program Files\Edonkey2000\Incoming
Program Files\emule\incoming
Program Files\Gnucleus\Downloads
Program Files\Grokster\My Grokster
Program Files\ICQ\shared files
Program Files\KaZaA Lite\My Shared Folder
Program Files\Kazaa Lite K++\My Shared Folder
Program Files\KaZaA\My Shared Folder
Program Files\KMD\My Shared Folder
Program Files\LimeWire\Shared
Program Files\Morpheus\My Shared Folder
Program Files\Overnet\incoming
Program Files\Rapigator\Share
Program Files\Shareaza\Downloads
Program Files\Swaptor\Download
Program Files\Tesla\Files
Program Files\WinMX\My Shared Folder
Program Files\XoloX\Downloads
T chargement
and on hard drives F and G folder:
Incoming
it will append it's body into all RAR and ZIP archives in mentioned folders. The name is one of:
Install.exe
_Run_Me_First.exe
Setup.exe
It also copies these infected archives into other folders on the local computer under name indicating some kind of update or fix:
"[name of the infected archive] updated-fixed [month and year]-[day] "
and a RAR or ZIP extension.
Example:
my_documents updated-fixed 10-25.zip
4. Cleaning:
- Reboot the PC into the safe mode.
- Delete the "WindowsServicesStartup" from the registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsServicesStartup" = "%TEMP%\svchost.exe 1"
- Delete the file:
%TEMP%\svchost.exe
- Reboot the computer back into the normal mode.
- You need to update your antivirus software and run a througout test. You should also make sure the antivirus is configured to search RAR and ZIP archives.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Naith
1. Summary:
Naith is a worm spreading through email, ICQ, mIRC and P2P networks.
It is capable of searching for passwords on the infected computers, which are sent to a Russia email address. It terminates security concerned applications.(antivirus, firewal, etc.)
Aliases:
ClamAV: Worm.Avron.A
Eset: Win32/Lirva
Kaspersky Lab: Email-Worm.Win32.Avron.a
McAfee: W32/Lirva.gen@MM
Sophos: W32/Avril-C
Symantec: W32.Lirva.A@mm
2. Detailed description:
Worm Naith copies itself after the execution into Windows System directory under a random name.
Afterwards it adds a registry item ito the „run“ registry key in order to execute at the system startup.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Avril Lavigne - Muse" = "[random file name].exe"
It adds a line into the “autoexec.bat” file which holds the full path to the infected file. This is a double check in order to run at the startup.
It creates a file “avril-ii.inf” in the temporary directory.
.
It also creates following registry keys:
[HKLM\Software\OvG]
"Avril Lavigne"="Done"
[HKLM\Software\OvG\Avril Lavigne]
"PSW-Trojan"="1"
These keys function as a flag that the computer has already beed infected.
During certain days in a month (depending on the variant of the virus - e.g. for V variant it is 7th, 11th and 24th ) it opens Internet Explorer with a Avril Lavigne page. This page displays colored ellipses connected with a text:
AVRIL_LAVIGNE_LET_GO - MY_MUSE:) 2002 (c) Otto von Gutenberg
3. Sending by email messages:
Worm Naith spreads mainly through email. It searches for new email addresses on the local computer in files with following extensions:
*.DBX
*.EML
*.HTM
*.HTML
*.IDX
*.MBX
*.NCH
*.SHTML
*.TBB
*.WAB
The subject of the infected email is chose from this list:
Fw: Avril Lavigne - the best
Fw: Prohibited customers...
Fwd: Re: Admission procedure
Fwd: Re: Reply on account for Incorrect MIME-header
Re: According to Daos Summit
Re: ACTR/ACCELS Transcriptions
Re: Brigade Ocho Free membership
Re: Reply on account for IFRAME-Security breach
Re: Reply on account for IIS-Security
Re: The real estate plunger
The body of the message is one of these 3 options:
Avril fans subscription FanList admits you to take in Avril Lavigne 2003
Billboard awards ceremony Vote for I'm with you!
Admission form attached below
Restricted area response team (RART)
Attachment you sent to is intended to overwrite start address at 0000:HH4F
To prevent from the further buffer overflow attacks apply the MSO-patch
Microsoft has identified a security vulnerability in Microsoft® IIS 4.0 and 5.0 that is eliminated by a previously-released patch. Customers who have applied that patch are already protected and do not need to take additional action. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so to apply the patch immediately.
Patch is also provided to subscribed list of Microsoft®Tech Support
The name of the infected attachment is:
AvrilLavigne.exe
AvrilSmiles.exe
CERT-Vuln-Info.exe
Cogito_Ergo_Sum.exe
Complicated.exe
Download.exe
IAmWiThYoU.exe
MSO-Patch-0035.exe
MSO-Patch-0071.exe
Readme.exe
Resume.exe
Singles.exe
Sk8erBoi.exe
Sophos.exe
Transcripts.exe
Two-Up-Secretly.exe
Naith also uses security holes in Microsoft Internet Explorer, Outlook and Outlook Express. This gives the worm the option to run the attachment without user actually running the file manually.
Apart from email it spreads also using mIRC and ICQ.
4. Spreading by Peer-to-Peer networks:
Worm tries to spread through Peet-To-Peer (P2P) networks, especially through KaZaA. It does this by copying itself into shared folder.
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete following registry keys and their respective values:
[HKLM\Software\OvG]
[HKLM\Software\OvG\Avril Lavigne]
In the Run registry key look for the random name of the infected file. The name of the file is a value of the item “Avril Lavigne – Muse”:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Avril Lavigne - Muse" = "[random generated file name].exe"
- Delete the file mentioned in the run key.
- Delete this registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Avril Lavigne - Muse" = "[random generated file name].exe"
- Reboot the computer back into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Virus Win32 HLLP Sibll
1. Summary:
Sibll is a prepending virus infecting executable files (*.exe) that is also able to spread through mapped network drives.
2. Detailed description:
Virus Sibll after it's execution creates two files in the Windows directory:
%WINDOWS%\ati3evx.exe
%WINDOWS%\system32.vxd.dat
The file „ati3evx.exe“ has set the „hidden“ and „system“, system attributes, so by default it won't get displayed.
The file „system32.vxd.dat“ contains a list of all executable files found on the local and netword drives. After the infection of all the files in the files the „system32.vxd.dat“ file gets removed.
As Sibll is a prepending virus, it prepends it's body into the original file. This way it executes first and then runs the original file.
Sibll avoids the C:\ drive, because this is the default Windows installation drive. It also inserts a visible chunk of text "Bills" into all infected files.
Sibll marks already searched drives by creating a „_dektop.ini“ file with „hidden“ and „system“attributes set.
To run at the system startup, the Sibll creates a registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\Explorer\Run]
" logo1_.exe " = "%WINDOWS%\ati3evx.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" logo1_.exe " = "%WINDOWS%\ati3evx.exe"
3. Spreading by mapped network disks:
Virus Sibll is designed to spread through network drives, but it also creates in the root of all drives (local/removable/netword) these files:
autorun.inf
pif.exe
The “autorun.inf” file runs the “pif.exe” file.
The “pif.exe” file is the body of the virus. It has also the „hidden“ and „system“ attributes set.
4. Cleaning:
- Reboot the PC into the safe mode.
- Remove the entry „logo1_.exe“ from registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\Explorer\Run]
" logo1_.exe " = "%WINDOWS%\ati3evx.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" logo1_.exe " = "%WINDOWS%\ati3evx.exe"
- Delete following files:
%WINDOWS%\ati3evx.exe
%WINDOWS%\system32.vxd.dat
- Remove following files from the root directory of all drives (D:\, E:\ ... Z:\) :
autorun.inf
pif.exe
- Reboot the computer back into the normal mode.
- As Sibll infects all executables, it is desirable to run a complete antivirus test. Removing the prepended virus part of the executable by hand may lead to damage of these files.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm.Win32.Brontok.q
1. Summary:
Worm.Win32.Brontok.q is Windows worm that spreads by email and shared folders.
Aliase names:
AntiVir: Worm/Brontok.a
Authentium: W32/Brontok.AD@mm
Avast: Win32:Brontok-AA
AVG: I-Worm/Brontok.EE
BitDefender: Win32.Brontok.AO@mm
CAT-QuickHeal: I-Worm.Brontok.q
ClamAV: Worm.Brontok.AF
DrWeb: BackDoor.Generic.1138
eSafe: Win32.Brontok.q
eTrust-InoculateIT: Win32/Robknot.2he!Worm
eTrust-Vet: Win32/Robknot.AD
Ewido: Worm.Brontok.a
Fortinet: W32/Brontok.A@mm
F-Prot: W32/Brontok.AD@mm
Ikarus: Email-Worm.Win32.Brontok.A
Kaspersky: Email-Worm.Win32.Brontok.q
McAfee: W32/Rontokbro.gen@MM
Microsoft: Win32/Brontok.L@mm
NOD32: Win32/Brontok.T
Norman: W32/Rontokbro.AP@mm
Panda: W32/Brontok.C.worm
Sophos: W32/Brontok-BZ
TheHacker: W32/Rontokbro@MM
UNA: I-Worm.Brontok.a
VBA32: Email-Worm.Win32.Brontok.q
VirusBuster: I-Worm.Brontok.CU
File size: the worm body size (in this case same as file size, because whole file is worm body) is 42,065 bytes.
2. Detailed description:
When the worm is launched for the first time, it opens “My Picture” folder in Windows Explorer window.
While installing the worm it copies itself into following directories:
%STARTUP%\Empty.pif
%USERPROFILE%\%AUTORUN%\Empty.pif
%USERPROFILE%\Local Settings\Application Data\smss.exe
%USERPROFILE%\Local Settings\Application Data\services.exe
%USERPROFILE%\Local Settings\Application Data\lsass.exe
%USERPROFILE%\Local Settings\Application Data\inetinfo.exe
%USERPROFILE%\Local Settings\Application Data\csrss.exe
%USERPROFILE%\Local Settings\Application Data\smss.exe
%USERPROFILE%\Local Settings\Application Data\winlogon.exe
%USERPROFILE%\Local Settings\Application Data\svchost.exe
%USERPROFILE%\Templates\WowTumpeh.com
%USERPROFILE%\Templates\[random number]-NendangBro.com
%WINDIR%\eksplorasi.exe
%WINDIR%\ShellNew\bronstab.exe
%WINDIR%\ShellNew\bbm- [random symbols].exe
%WINDIR%\system32\%USERNAME%s Setting.scr
%WINDIR%\sembako[random symbols].exe
%SYSTEM%\dxblbo.exe
%SYSTEM%\cmd-bro-[random symbols].exe
%SYSTEM%\%USERNAME%’s Settings.scr
%MYPICTURES%\Mypictures.exe
It searches the disk for following directories and copies the worm body into them:
My Documents
My Music
My Pictures
My Ebooks
My Shapes
My Video
My Data Sources
The file name is the same as any other file found in directory, but one “.exe” extension gets added (example: if you have a directory with a file notepad.exe, infected file will have name notepad.exe.exe).
When the copying was successfull, the worm will be registered to automatically launch using following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus-[random symbols]"="%WINDIR%\ShellNew\bbm-[random symbols].exe"
or
"Bron-Spizaetus" = "%WINDIR%\ShellNew\bronstab.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-[random number]"="%USERPROFILE%\Local Settings\Application Data\br[random number]on .exe"
or
"Tok-Cirrhatus" = "%userprofile%\Local Settings\Application Data\smss.exe"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe "%WINDIR%\sembako-[random symbols].exe""
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
"Explorer.exe" = "%WINDIR%\eksplorasi.exe"
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd-bro-[random symbols].exe"
The worm will also disable the registry tool (regedit.exe), command line prompt, and displaying folders and files in explorer, with adding following keys:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
"DisableRegistryTools" = 1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
"NoFolderOptions" = 1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\Explorer]
"DisableCMD" = 0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"Hidden" = 0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"ShowSuperHidden" = 0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
"HideFileExt" = 1
When is worm installed succesfully, it creates a file „sistem.sys“ in the Windows system32 directory.
This file contains infection mark (date and time of the worm instalation at victims machine) with following format:
moth:date:hour:minute (example: 08251405)
The Worm creates scheduled task and this task starts following file every day:
%USERPROFILE%\Templates\WowTumpeh.com
and replaces hosts file with copy that will be downloaded from the Internet.
This file is stored to:
%WINDIR%\System32\drivers\etc\hosts
With this step, the worm blocks the access to some Internet servers.
Try to delete following files:
jangan dibuka.exe
kangen.exe
untukmu.exe
folder.htt
IDTemplate.exe
myheart.exe
my heart.exe
%USERPROFILE%\Templates\bararontok.com
%USERPROFILE%\Templates\A.kotnorB.com
%WINDIR%\eksplorasi.pif
%WINDIR%\system32\3D Animation.scr
%WINDIR%\ShellNew\Elnorb.exe
3. Infection by email:
The worm searches the local computer for files with following extensions:
ASP
CFM
CSV
DOC
EML
HTM
HTML
PHP
TXT
WAB
Found email adresses are saved into %APPDATA%\Loc.Mail.Bron.Tok file with .ini extension. In other directory called Ok-SendMail-Bron-rok are saved all sended emails.
For sending infected emails the worm uses own SMTP engine.
Sender address are selected from following fake addresses:
Berita__XX@kafegaul.com
GaulNew_XX@kafegaul.com
HotNews_XX@playboy.com
Movie_XX@playboy.com
The email body depends upon the data downloaded from the Internet.
File attached in the infected emails have one of these names:
ccapps.exe
jangan dibuka.exe
kangen.exe
my heart.exe
myheart.exe
syslove.exe
untukmu.exe
winword.exe
If the worm finds a window which name contains one of following strings, the worm will reboot the computer:
..
.@
@.
.ASP
.EXE
.HTM
.JS
.PHP
ADMIN
ADOBE
AHNLAB
ALADDIN
ALERT
ALWIL
ANTIGEN
APACHE
APPLICATION
ARCHIEVE
ASDF
ASSOCIATE
AVAST
AVG
AVIRA
BILLING@
BLACK
BLAH
BLEEP
BUILDER
CANON
CENTER
CILLIN
CISCO
CMD.
CNET
COMMAND
COMMAND PROMPT
CONTOH
CONTROL
CRACK
DARK
DATA
DATABASE
DEMO
DETIK
DEVELOP
DOMAIN
DOWNLOAD
ESAFE
ESAVE
ESCAN
EXAMPLE
FEEDBACK
FIREWALL
FOO@
FUCK
FUJITSU
GATEWAY
GOOGLE
GRISOFT
GROUP
HACK
HAURI
HIDDEN
HP.
IBM.
INFO@
INTEL.
KOMPUTER
LINUX
LOG OFF WINDOWS
LOTUS
MACRO
MALWARE
MASTER
MCAFEE
MICRO
MICROSOFT
MOZILLA
MYSQL
NETSCAPE
NETWORK
NEWS
NOD32
NOKIA
NORMAN
NORTON
NOVELL
NVIDIA
OPERA
OVERTURE
PANDA
PATCH
POSTGRE
PROGRAM
PROLAND
PROMPT
PROTECT
PROXY
RECIPIENT
REGISTRY
RELAY
RESPONSE
ROBOT
SCAN
SCRIPT HOST
SEARCH R
SECURE
SECURITY
SEKUR
SENIOR
SERVER
SERVICE
SHUT DOWN
SIEMENS
SMTP
SOFT
SOME
SOPHOS
SOURCE
SPAM
SPERSKY
SUN.
SUPPORT
SYBARI
SYMANTEC
SYSTEM CONFIGURATION
TEST
TREND
TRUST
UPDATE
UTILITY
VAKSIN
VIRUS
W3.
WINDOWS SECURITY.VBS
WWW
XEROX
XXX
YOUR
ZDNET
ZEND
ZOMBIE
4. How to clean this worm:
We recommend you disinfecting this worm by antivirus.
Manual disinfection is following:
4.1 Disable system restore and reboot computer to the safe mode.
4.2 Delete following files:
%STARTUP%\Empty.pif
%USERPROFILE%\%AUTORUN%\Empty.pif
%USERPROFILE%\Local Settings\Application Data\smss.exe
%USERPROFILE%\Local Settings\Application Data\services.exe
%USERPROFILE%\Local Settings\Application Data\lsass.exe
%USERPROFILE%\Local Settings\Application Data\inetinfo.exe
%USERPROFILE%\Local Settings\Application Data\csrss.exe
%USERPROFILE%\Local Settings\Application Data\smss.exe
%USERPROFILE%\Local Settings\Application Data\winlogon.exe
%USERPROFILE%\Local Settings\Application Data\svchost.exe
%USERPROFILE%\Templates\WowTumpeh.com
%USERPROFILE%\Templates\[random number]-NendangBro.com
%WINDIR%\eksplorasi.exe
%WINDIR%\ShellNew\bronstab.exe
%WINDIR%\ShellNew\bbm- [random symbols].exe
%WINDIR%\system32\%USERNAME%s Setting.scr
%WINDIR%\sembako[random symbols].exe
%SYSTEM%\dxblbo.exe
%SYSTEM%\cmd-bro-[random symbols].exe
%SYSTEM%\%USERNAME%’s Settings.scr
%MYPICTURES%\Mypictures.exe
4.3 Delete "Bron-Spizaetus-[random symbols] " key from
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
4.4 Delete "Tok-Cirrhatus-[random number]" key from
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
4.5 Delete “Shell” key that contain string “sembako” from
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
4.6 Delete “Explorer.exe” key from
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
4.7 Delete “AlternateShell” key from
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
4.8 Set “DisableRegistryTools” value to 0 in this key
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
4.9 Set “NoFolderOptions” value to 0 in this key
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Policies\System]
4.10 Set “HideFileExt” value to 0 in this key
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced]
4.11 Reboot cleaned computer to normal mode and enable system restore.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Warezov jv
1. Summary:
Warezov.jv is a 101 kB long worm that spreads through email.
It drops 6 kB long dynamic library. This worm terminates all running antivirus software and personal firewalls.
Aliase names:
Kaspersky: Email-Worm.Win32.Warezov.jv
2. Detailed description:
After the first run, the worm copies it's body under the name “tpup.exe” into the %WINDOWS% directory. Afterwards it runs this file with the “s” parameter (“s” probably stands for “silent”).
The dynamic library mentioned earlier gets dropped into the %SYSTEM% directory under the name “e1.dll”. This library contains the actual body of the worm.
It also creates files “tpup.dat“ and „tpup.s“ in the %WINDOWS% directory.
The worm secures it's execution at the startup by modifying the “run” registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“tpup“=“%WINDOWS%\tpup.exe s“
It also modifies following key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs“=“[name of a random library] e1.dll“
Warezov.jv constantly checks the running processes and if it finds an antivirus or a personal firewall, it terminatesthem on the spot.
It tries to mask itself by injecting it's code into randomly chosen process. Therefor it is a lot harder to pinpoint the worm.
3. Infection by email:
This worm searches through the „outlook address book“
and files on the hard drives for emails addresses. All of them get written into the file „%WINDOWS%\tpup.wax“.
A trojan horse gets sent on all the found email addresses. This trojan horse downloads the worm from the Internet. This trick gives the author of the worm the ability to change the body of the worm at any given time.
The email message itself is written in a way that makes the receiver think his computer has been infected. In the end the email advices the user to install the attached program to get rid of the virus. A gullible user runs the attachment (trojan horse) and the worm gets installed.
The trojan horse attachment has usually one of these names:
body
data
docs
document
file
message
readme
test
text
Update-KB[random numbers]-x86
with a *.zip or *.doc.exe extension.
The subject of the email is in of the following:
Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test
and the body looks like:
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
4. How to clean this worm:
- Reboot the PC into the safe mode.
- Run the Task Manager and look for„tpup.exe“ (worm) process. Terminate it.
- Erase following files:
%WINDOWS%\tpup.exe
%WINDOWS%\tpup.dat
%WINDOWS%\tpup.s
%WINDOWS%\tpup.wax
%SYSTEM%\e1.dll
- Erase the following registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
„tpup“=“%WinDir%\tpup.exe s“
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
„AppInit_DLLs“=“[meno nahodnej systemovej kniznice] e1.dll“
- Reboot the PC into the normal mode.
- Update your antivirus and run a complete test.
If you do not own an antivirus you can run the kaspersky online virus scanner
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm – Win32 – Takeobel
1. Summary:
Worm Takeobel file size of 28 kB. Takeobel spreads using mapped network drives.
2. Detailed description:
Takeobel will create following files in system directory after execution:
%SYSTEM%\lgfxTray.exe
%WINDOWS%\System\lnks.exe
Afterwards Takeobel will create following registry entries, and with them Takeobel will assure his execution after every reboot of Windows :
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lgfxTray" = "%SYSTEM%\lgfxTray.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe lnks.exe"
%SYSTEM% is system directory , can be various on different computers. For example on WindowsXP it is \WINDOWS\SYSTEM32\ and Windows2000 uses
\WINNT\SYSTEM32\ as system directory.
Worm Takeobel will try to mask itself by changing following registry keys in order to changethe way how system displays the files:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowInfoTip" = "0"
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
Afterwards Takeobel worm searches for directories on local and mapped drives and if such directory contains subdirectory it will copy itself into it and will
name itself by the name of subdirectory. For example:
Takeobel finds : „C:\Downloads\My Music\“ and will copy itself there as : „C:\Downloads\My
Music.exe“.
It will set attribute HIDDEN on subdirectory (in this case „My Music“) in order for user to not see the directory.
Takeobel will also add extension „.ln3“ to every Word document (*.doc) . For example: „holiday.doc.ln3“.
3. Cleaning:
- Reboot PC into safe mode.
- Delete following registry entries:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lgfxTray" = "%SYSTEM%\lgfxTray.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe lnks.exe"
- Change value „HideFileExt“ in following registry key from „1“ to „0“:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
- Change value „Hidden“ in following registry key from „2“ to „0“:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
- Change value „ShowInfoTip“ in following registry key from „0“ to „1“:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowInfoTip" = "0"
- Change value „ShowInfoTip“ in following registry key from „1“ to „0“:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
- Remove following files:
%SYSTEM%\lgfxTray.exe
%WINDOWS%\System\lnks.exe
- Reboot computer into the Normal Mode.
- Update your antivirus and run full test. If you don't have antivirus or don't know which one you should use, use kaspersky online virus scanner :
http://www.kaspersky.com/virusscanner
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm - Win32 - Alanis - a
1. Summary:
Alanis.a is a 22 kB big worm that spreads by sending infected email, Peer-To-Peer (P2P) networks, ICQ and through floppy disks.
Aliases:
Eset: Win32/Sinala.A
Kaspersky: I-Worm.Alanis
McAfee: W32/Generic.worm!p2p
Sophos: W32/Alanis-A
Symantec: W32.HLLW.Sinala@mm
2. Detailed description:
After it's first execution, the worm Alanis.a creates following files in the Windows system directory:
%SYSTEM%\cleanmgr.mcg
%SYSTEM%\freesoft.avi.scr
%SYSTEM%\kerneldll32.api
%WINDOWS%\molani.scr
%WINDOWS%\cleanmgr.mcg
%SYSTEM%\mope.scr
If the floppy drive contains a disk it copies following files into the root directory:
A:\axebah.exe
A:\badboysII.scr
A:\piratas.scr
A:\ring.exe
Worm Alanis.a creates also MIME encoded html versions of it's body:
C:\alanis.html
C:\avril.html
C:\evan.html
C:\nemo.html
C:\pamelaXXX.html
if the Windows is a spanish language mutation, it creates some more files in the „Mis Documentos“ (spanish „My Documents“):
C:\mis documentos\alanis.html
C:\mis documentos\avril.html
C:\mis documentos\evan.html
C:\mis documentos\nemo.html
C:\mis documentos\pamelaXXX.html
These files get the SYSTEM, READ-ONLY and HIDDEN attributes set, which hides the files.
As usual some registry entries get also created to make sure the worm gets fired up at the startup:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"w32alanis" = "mope.scr"
It disables the registry editors (regedit & regedt32) by creating registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
It also registers a new extension *.mcg by adding following keys to the registry:
[HKCR\.mcg]
"@"="mcgfile"
[HKCR\mcgfile]
"@"="clip de vídeo"
"NeverShowExt"=""
[HKLM\Software\CLASSES\.mcg]
@="mcgfile"
[HKLM\Software\CLASSES\mcgfile]
"@"="clip de vídeo"
"NeverShowExt"=""
[HKLM\Software\CLASSES\mcgfile\Shell\Open\Command]
"@"="\"%1\" %*"
[HKLM\Software\CLASSES\mcgfile\DefaultIcon]
"@"="C:\\ARCHIV~1\\REPROD~1\\wmplayer.exe,-120"
and afterwards it modifies the „system.ini“ file by adding new shell to the boot section:
shell= Explorer.exe C:\WINDOWS\Cleanmgr.mcg
Worm Alanis.a creates a file in the root of the C:\ drive named „tazmania.txt“, which is 1026 bytes long:
C:\tazmania.txt
This files includes the email address of the author of the worm and a ASCII graphics:
demionklaz@hotmail.com
, .-'"'=;_ ,
|\.'-~`-.`-`;/|
\.` '.'~-.` './
(\`,__=-'__,'/)
_.-'-.( d\_/b ).-'-._
/'.-' ' .---. ' '-.`\
/' .' (= (_) =) '. `\
/' .', `-.__.-.__.-' ,'. `\
( .'. V V ; '. )
( |:: `-,__.-.__,-' ::| )
| /|`:. .:'|\ |
| / | `:. :' |`\ |
| | ( :. .: ) | |
| | ( `:. :' ) | |
| | \ :. .: / | |
| | \`:. .:'/ | |
) ( `\`:. .:'/' ) (
( `)_ ) `:._.:' ( _(` )
\ ' _) .' `. (_ ` /
\ '_) / .'"```"'. \ (_` /
`'"` \ ( ) / `"'`
___ `.`. .'.' ___
.` ``""" '''--`_) (_'--'''"""`` `.
(_(_(___...--'" '` `'"'--...___)_)_)
[DemionKlaz]..................[DK]
Worm Alanis.a displays a false error popup. By doing this it tries to convince the user that the executed file is damaged . The error message is in Spanish and goes like:
Error interno en la aplication íintente en algunos momentos!
3. Sending by email messages:
The email addresses get gathered from the „Microsoft Outlook Address Book“.
The subject of the infected email gets chosen from following list:
axebahia
hectlavo
trancebaile
teckno
The body of the email is allways the same and is in Spanish:
hay te envio el video que me pediste ta buenazo este es el video verdad espero que sea de tu agrado espero que te guste a mi me gsuto :pel grupo esta buenazo muy buen video Baile paso a paso aprendera a bailar rapido Nuevos pasos viva la musica espero que te guste los nuevos pasos
The attachment has also the same name:
freesoft.avi.scr
4. Spreading by Peer-to-Peer networks:
Worm Alanis.a searches the disk for following directories:
C:\archiv~1\Edonkey2000\incoming
C:\archiv~1\Grokster\My Grokster
C:\archiv~1\ICQ\shared files
C:\archiv~1\KaZaA\My Shared Folder
C:\archiv~1\KaZaA Lite\My Shared Folder
C:\archiv~1\Morpheus\My Shared Folder
C:\archiv~1\WinMX\My Shared Folder
C:\Program Files\Edonkey2000\incoming
C:\Program Files\Grokster\My Grokster
C:\Program Files\ICQ\shared files
C:\Program Files\KaZaA\My Shared Folder
C:\Program Files\KaZaA Lite\My Shared Folder
C:\Program Files\Morpheus\My Shared Folder
C:\Program Files\WinMX\My Shared Folder
if they do exist, it copies itself under names:
alanis morri.mcg
avril lavig.mcg
destino2.mcg
evange.mcg
metalica.mcg
ova13.mcg
ova4.mcg
paMXX.mcg
picsXXX.mcg
piratas.mcg
prin.mcg
ponw.mcg
saint.mcg
seaevil.mcg
termi.mcg
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete the entry „w32alanis“ from the registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"w32alanis" = "mope.scr"
- Delete these registry keys:
[HKCR\.mcg]
[HKCR\mcgfile]
[HKLM\Software\CLASSES\.mcg]
[HKLM\Software\CLASSES\mcgfile]
- Change the entry „DisableRegistryTools“ from „1“ to it's defaul „0“ to reenable registry tools:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- Delete following files:
%SYSTEM%\cleanmgr.mcg
%SYSTEM%\freesoft.avi.scr
%SYSTEM%\kerneldll32.api
%WINDOWS%\molani.scr
%WINDOWS%\cleanmgr.mcg
%SYSTEM%\mope.scr
C:\alanis.html
C:\avril.html
C:\evan.html
C:\nemo.html
C:\pamelaXXX.html
C:\tazmania.txt
If you run a Spanish Windows version delete also these files:
C:\mis documentos\alanis.html
C:\mis documentos\avril.html
C:\mis documentos\evan.html
C:\mis documentos\nemo.html
C:\mis documentos\pamelaXXX.html
- In the „system.ini“ file remove this line:
shell= Explorer.exe C:\WINDOWS\Cleanmgr.mcg
- Reboot the computer back into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Eliles
1. Summary:
Eliles is a worm spreading through email messages. It also drops a file „Alonso-Fl.sis“, that contains a worm „SymbOS/CommWarrior“, intended for Nokia Series 60 cell phones. The „SymbOS/CommWarrior“ worm spreads through bluetooth.
Aliases:
Fortinet: W32/Eliles.B
H+BEDV: TR/ElPerfecto
Ikarus: Win32.Itzar.A@mm
Panda: W32/Eliles.C
Softwin: Win32.Itzar.A@mm
Sophos: W32/Eliles-B
2. Detailed description:
Worm Eliles creates following files:
C:\el_69.exe
C:\%WINDOWS%\Dos.cmd
C:\%WINDOWS%\Fonts\El_Perfecto_69.zip
C:\%WINDOWS%\Help\Alonso-F1.sis
C:\%WINDOWS%\Lilescom.dll
C:\%WINDOWS%\PCHEALTH\HELPCTR\Binaries\msn.exe
C:\%WINDOWS%\System32\Info.txt
C:\%WINDOWS%\System32\temp.exe
C:\%WINDOWS%\Tasks\smtp.vbe
The “El_Perfecto_69.zip“ archive contains file „el_69.exe“, which is the body of the worm.
The file “Alonso-F1.sis” contains the body of the “SymbOS/CommWarrior“ worm.
File „smtp.vbe“ is an encoded visual basic script (*.vbe = visual basic encoded), that gets attached to the infected email messages.
It modifies these registry entries:
[HKLM\Software\Microsoft\Security Center]
"AntivirusDisableNotify " = "1"
[HKLM\Software\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\Software\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\Software\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\Software\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
"DisableTaskmgr" = "1"
"NoAdminPage" = "1"
By doing this it disables the Windows Firewall and Windows Antivirus in the „Security Center“.
It also forbids to run the „regedit.exe“ (registry) and task manager.
Another registry modification:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"RegisteredOrganization" = "Carpe Diem Leslie."
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"SystemRestore\DisableSR" = "1"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %WINDOWS%\PCHEALTH\HELPCTR\Binaries\msn.exe"
3. Cleaning:
- Reboot the PC into the safe mode.
- Change the value of following registry keys from „1“ to „0“:
[HKLM\Software\Microsoft\Security Center]
"AntivirusDisableNotify " = "1"
"AntiVirusOverride" = "1"
"FirewallDisableNotify" = "1"
"FirewallOverride" = "1"
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
"DisableTaskmgr" = "1"
"NoAdminPage" = "1"
- Erase following files:
C:\el_69.exe
C:\%WINDOWS%\Dos.cmd
C:\%WINDOWS%\Fonts\El_Perfecto_69.zip
C:\%WINDOWS%\Help\Alonso-F1.sis
C:\%WINDOWS%\Lilescom.dll
C:\%WINDOWS%\PCHEALTH\HELPCTR\Binaries\msn.exe
C:\%WINDOWS%\System32\Info.txt
C:\%WINDOWS%\System32\temp.exe
C:\%WINDOWS%\Tasks\smtp.vbe
- Reboot the computer back into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm - Win32 – Falgna
1. Summary:
Falgna is a worm, which steals system information and installs a backdoor.
2. Detailed description:
Worm Falgna copies itself after execution into:
%SYSTEM%\ALMV.exe
%SYSTEM%\DLMVD.exe
%SYSTEM%\DLMVP.exe
%SYSTEM%\DLMVT.exe
%SYSTEM%\DLMVX.exe
%SYSTEM%\MSINSCK.OCX
%SYSTEM%\RCS.exe
%SYSTEM%\Rtmp.bat
%SYSTEM%\Rtemp.bat
%SYSTEM%\Rtmp.log
%SYSTEM%\Rtmp.scr
It also tries to get copied into the root of the removable media under the names:
ALMV.exe
MVH.exe
MVS.exe
and also creates „autorun.inf“ file, which executes the infected file after the media is plugged in.
It searches the removable media for files with extensions:
*.txt
*.pdf
*.doc
*.xls
if it finds such a file, it copies itself info the directory where the file resides under the name of the file with doubled extension, where the second extension is .exe.
For example: the removable media includes the file „readme.txt“. The worm copies itself into the directory under the name „readme.txt.exe“.
The „ALMV.exe“ file is a monitor, that constantly checks if the following files run in the memory:
%SYSTEM%\MVS.exe
%WINDOWS%\MVH.exe
if they don't it runs them.
Worm Falgna modifies following registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALMV" = "%SYSTEM%\ALMV.exe"
[HKCU \Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "%WINDOWS%\MVS.exe"
[HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "userinit.exe %WINDOWS%\MVH.exe"
[HKLM \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %WINDOWS%\MVH.exe"
By this it makes sure it will be executed at the startup.
It also modifies some registry keys to disable displaying „hidden“ files in „My Computer“:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"UncheckedValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
It also disables windows firewall by modifying the keys:
[HKLM\SYSTEM\ControlSet001\Services \SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"%SYSTEM%\RCS.exe" = "%SYSTEM%\RCS.exe:*:Enabled:RCS"
[HKLM\\SYSTEM\CurrentControlSet \Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"%SYSTEM%\RCS.exe" = "%SYSTEM%\RCS.exe:*:Enabled:RCS"
Flagna steals system information from the victim's computer such as IP address, computer name etc. and saves them into the file %SYSTEM%\Rtmp.log.
This file is afterwards sent onto a FTP server.
Worm includes a backdoor that listens on port 3891 for commands. This widens the possibilities of the worm.
4. Cleaning:
- Reboot the PC into the safe mode.
- Terminate these processes if they run:
ALMV.exe
DLMVD.exe
DLMVP.exe
DLMVT.exe
DLMVX.exe
MVH.exe
RCS.exe
Rtmp.scr
- Delete these files if they exist:
%SYSTEM%\ALMV.exe
%SYSTEM%\DLMVD.exe
%SYSTEM%\DLMVP.exe
%SYSTEM%\DLMVT.exe
%SYSTEM%\DLMVX.exe
%SYSTEM%\MSINSCK.OCX
%SYSTEM%\RCS.exe
%SYSTEM%\Rtmp.bat
%SYSTEM%\Rtemp.bat
%SYSTEM%\Rtmp.log
%SYSTEM%\Rtmp.scr
%WINDOWS%\MVH.exe
- Erase these files from the root of the removable media:
ALMV.exe
MVH.exe
MVS.exe
- Delete these registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALMV" = "%SYSTEM%\ALMV.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "%WINDOWS%\MVS.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "userinit.exe %WINDOWS%\MVH.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %WINDOWS%\MVH.exe"
[HKLM\SYSTEM\ControlSet001\Services \SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"%SYSTEM%\RCS.exe" = "%SYSTEM%\RCS.exe:*:Enabled:RCS"
[HKLM\\SYSTEM\CurrentControlSet\Services \SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"%SYSTEM%\RCS.exe" = "%SYSTEM%\RCS.exe:*:Enabled:RCS"
- Restore the default value in this key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"UncheckedValue" = "1"
to
"UncheckedValue" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
to
"CheckedValue" = "1"
- Reboot the PC back into normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm - Win32 - Annew - a
1. Summary:
Annew.a is a 214 kB long worm spreading by copying on the local hard drives of removable media. This worm disables certain system tools (regedit, task manager, system restore, etc. ) and modifies file hiding.
Aliases:
Sophos: W32/Annew-A
Symantec: W32.Annew.A
2. Detailed description:
Worm Annew.a copies itself after execution into following locations:
%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\Quick Launch.exe
%PROGRAMFILES%\default.exe
%SYSTEM%\msnmsgr.exe
%WINDOWS%\msdos.pif
On the system disk (%SYSTEMDRIVE%) it creates a file which name gets randomly chosen from a huge list. I'm posting only a few variations:
Avast
Avg
Bitdefender
Books
F-Secure
Games
Kaspersky
Love
Mcafee
Mod32
Music
Norton
Panda
Security
Sex
Sophos
Star
Symantec
Windows
Afterwards it creates registry entries ensuring it's execution at the startup time.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr" = "%SYSTEM%\msnmsgr.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr" = "C:\WINDOWS\system32\msnmsgr.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %WINDOWS%\msdos.pif"
Worm Annew.a disables the execution of the Task manager (taskmgr.exe), Registry editor (regedit.exe) ,command line prompt (cmd.exe) and „System Restore“. It does this by modifying following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"DisableCMD" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
"DisableSR" = "1"
Annew.a tries to mask it's presence by changing the file display attributes by changing registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"Norun" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFind" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetFolders" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLogoff" = "1"
Worm Annew.a terminates all processes which name contain one of the following strings:
cmd
hex
mconfig
proc
spy
task
Worm Annew.a changes the title of all visible windows to following text:
[^_^Anti Antivirus^_^]
Annew.a creates in the root of the system disk and also on all removable media (for instance USB stick) file named „autorun.inf“. This file ensures automated execution of the body of the worm at the time the media gets connected to the computer. The file will look something like:
[AutoRun]
Open=Love.exe
shellexecute=Love.exe
shell\Auto\command=Love.exe
Shell=Auto
Afterwards the worm Annew.a displays a error message to mask it's execution.
3. Cleaning:
- Reboot the PC into the safe mode.
- Delete following entries in the registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr" = "%SYSTEM%\msnmsgr.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr" = "C:\WINDOWS\system32\msnmsgr.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %WINDOWS%\msdos.pif"
- Change the values of the following entries from „1“ to „0“:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
"DisableCMD" = "1"
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"DisableRegistryTools" = "1"
"DisableCMD" = "1"
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = "1"
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
"HideFileExt" = "1"
"ShowSuperHidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
"Norun" = "1"
"NoFind" = "1"
"NoSetFolders" = "1"
"NoLogoff" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
"HideFileExt" = "0"
"ShowSuperHidden" = "0"
- Delete these files:
%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\Quick Launch.exe
%PROGRAMFILES%\default.exe
%SYSTEM%\msnmsgr.exe
%WINDOWS%\msdos.pif
- Reboot the PC back into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Patahme
1. Summary:
Patahme is a worm spreading through email, network shares and removable media.
2. Detailed description:
After it's execution it creates these files:
%SYSTEMDISK%\patahhati.exe
%SYSTEMDISK%\memesayang.exe
%WINDOWS%\meme.bmp
%WINDOWS %\sysexplorer.exe
%WINDOWS %\sysprint.exe
%WINDOWS %\wininit.exe
It also tries to create following files:
%WINDOWS%\happyday.htm
%WINDOWS %\memesayang.htm
%WINDOWS %\putuscinta.htm
if it succeeds it open them using Internet Explorer.
Worm Patahme searches the local and removable disks for MS WORD documents. The found ones are hidden and the worm copies itself in their original place.
In certain cases it may erase *.exe and *.sys files.
Patahme secures it's execution after the startup by adding keys to the registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysshell" = "%WINDOWS%\sysexplorer.exe"
[HKCU \Software\Microsoft\Windows\CurrentVersion\Run]
"sysprint" = "%WINDOWS%\sysprint.exe"
It modifies registry keys handling file display (e.g. hidden extensions, hidden files and directories...)
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"CheckedValue" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"DefaultValue" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"DefaultValue" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
To make it harder for the user to remove the worm it also creates some registry keys that forbid the user to run regedit, task manager and folder properties:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
3. Sending by email messages:
As mentioned before, Patahme also spreads through email. It inserts it's body as an attachment under name like:
beda pemenang dan pecundang.exe
pensiun muda pensiun kaya.exe
Rahasia Seorang Bill Gate.exe
Subject of the email is random.
It receives the email addresses from the following servers:
www.plazatelkom.net
www.telkom.net
It first sends an ICMP echo request and if the server sends an echo reply ICMP it waits for the list of addresses.
4. Cleaning:
- Reboot the PC into the safe mode.
- Erase the files:
%SYSTEMDISK%\patahhati.exe
%SYSTEMDISK%\memesayang.exe
%WINDOWS%\happyday.htm
%WINDOWS%\meme.bmp
%WINDOWS %\memesayang.htm
%WINDOWS %\putuscinta.htm
%WINDOWS %\sysexplorer.exe
%WINDOWS %\sysprint.exe
%WINDOWS %\wininit.exe
- Remove these registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sysshell" = "%WINDOWS%\sysexplorer.exe"
[HKCU \Software\Microsoft\Windows\CurrentVersion\Run]
"sysprint" = "%WINDOWS%\sysprint.exe"
- In the following key alter the value „1“ to „0“:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
- Reboot the computer into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Xirtam a
1. Summary:
Xitram is a 35kB long worm,that initially spreads through email and afterwards on local and removable drives.
2. Detailes description:
After the execution,the worm copies itself into following locations:
%USERPROFILE%\Local Settings\Temp\Reply.exe
%USERPROFILE%\Local Settings\Temp\spoolsv.tme
%USERPROFILE%\Local Settings\Temp\taskmgr.txt
%USERPROFILE%\spoolsv.exe
%WINDOWS%\Matrix.scr
%USERPROFILE% stands for Documents and Settings folder of the currently logged on user eg. C:\Documents and Settings\[CURRENT USER]\.
The worm tries to create following files:
A:\Recycled.exe
E:\Autorun.inf
E:\Recycled.exe
E:\Secret\Nice Sex.exe
F:\Autorun.inf
F:\Fuck\Nice Sex.exe
F:\Recycled.exe
G:\911 Death\911.exe
G:\Autorun.inf
G:\Recycled.exe
H:\Autorun.inf
H:\Recycled.exe
H:\VDO\Nice Sex.exe
I:\Autorun.inf
I:\Data Fair\Nice Sex.exe
I:\Recycled.exe
J:\Autorun.inf
J:\Nice Sex.exe
J:\Recycled.exe
And modifiesfollowing registry keys:
[HKLM\SOFTWARE\Classes\exefile]
"NeverShowExt" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Task" = "%USERPROFILE%\spoolsv.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Task" = "%USERPROFILE%\spoolsv.exe"
[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "C:\WINDOWS\Matrix.scr"
[HKCU\Control Panel\Desktop]
"ScreenSaveActive" = "1"
Xitram actively tries to search the local network for shares. If it finds some, they get written into the file
%USERPROFILE%\Local Settings\Temp\taskmgr.txt
3. Infection by email:
It searches the local hard drives for .htm files and looks for email addresses within these files. The infected email gets sent on those addresses with following signatures:
From: datafolder@yahoo.com
To: found email address
Subject: Reply DataFolder
Body: Please Save Attachment File For Detail Data In File.
Attached file (the body of the worm) which has allways the name „Reply.exe“.
4. How to clean this worm:
- Reboot the PC into the safe mode.
- Erase the following files is they exist:
%USERPROFILE%\Local Settings\Temp\Reply.exe
%USERPROFILE%\Local Settings\Temp\spoolsv.tme
%USERPROFILE%\Local Settings\Temp\taskmgr.txt
%USERPROFILE%\spoolsv.exe
%WINDOWS%\Matrix.scr
A:\Recycled.exe
E:\Autorun.inf
E:\Recycled.exe
E:\Secret\Nice Sex.exe
F:\Autorun.inf
F:\Fuck\Nice Sex.exe
F:\Recycled.exe
G:\911 Death\911.exe
G:\Autorun.inf
G:\Recycled.exe
H:\Autorun.inf
H:\Recycled.exe
H:\VDO\Nice Sex.exe
I:\Autorun.inf
I:\Data Fair\Nice Sex.exe
I:\Recycled.exe
J:\Autorun.inf
J:\Nice Sex.exe
J:\Recycled.exe
- Delete the following registry keys:
[HKLM\SOFTWARE\Classes\exefile]
"NeverShowExt" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Task" = "%USERPROFILE%\spoolsv.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Task" = "%UserProfile%\spoolsv.exe"
[HKCU\Control Panel\Desktop]
"SCRNSAVE.EXE" = "C:\WINDOWS\Matrix.scr"
- In the registry key „[HKCU\Control Panel\Desktop]“ make change:
"ScreenSaveActive" = "0"
to
"ScreenSaveActive" = "1"
- Reboot the PC.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm – Win32 – Culler - a
1. Summary:
Culler.a is worm that is spreading using MSN Instant Messenger. Culler.a is able to communicate with remote HTTP server and is able to download files from that HTTP server and run them.
Aliases:
Sophos: W32/MSNVB-D
2. Details description:
Worm Culler.a will create these files after execution :
%SYSTEM%\Avconsol.exe
%SYSTEM%\zap.exe
%SYSTEM%\hide32.exe
%SYSTEM%\ttt.exe
All these files are identical and contain body of Culler.a worm.
By modificating following registry keys program assures that it will be able to be resident after every reboot of Windows:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AVantivirus" = "%System%\Avconsol.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Servicewin" = "%System%\Hide32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\Zap.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinService" = "%Service%\Ttt.exe"
Worm Culler.a forbids execution of Task Manager (taskmgr.exe) by modifying following registry key:
[HKCU\software\microsoft\windows\currentversion\policies\system]
"disabletaskmgr" = "1"
Because this worm has ability tu defend itself it will shut down following applications:
AD_Aware
AntiVir
Antivirus
avast
AVG
BitDefender
Dr.Web
eSafe
ewido
HiJack
Kaspersky
Malware
McAfee
Panda
Scanner
Spybot
Spyware
Virus
Worm Culler.a will display this window after succesfully installing itself:
Component "COMDLG32.OCX" or one of its dependencies no correctly registered a file is missing or invalid.
And will remain resident in memory.
3. Cleaning:
- Reboot PC into the safe mode.
- Change value „disabletaskmrg“ in registry key from „1“ to „0“:
[HKCU\software\microsoft\windows\currentversion\policies\system]
"disabletaskmgr" = "1"
- Delete following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AVantivirus" = "%System%\Avconsol.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Servicewin" = "%System%\Hide32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\Zap.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinService" = "%Service%\Ttt.exe"
- Remove following files:
%SYSTEM%\Avconsol.exe
%SYSTEM%\zap.exe
%SYSTEM%\hide32.exe
%SYSTEM%\ttt.exe
- Reboot computer into normal mode.
- Update your antivirus and run full test. If you don't have antivirus or don't know which one you should use, use kaspersky online virus scanner :
http://www.kaspersky.com/virusscanner
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Netsky q
1. Summary:
Netsky.q is a 29kB sized worm spreading through email, peer-to-peer (P2P) networks and shared folders.
2. Detailed description:
After the first run, the Netsky.Q copies itself into the Windows system directory under the name:
%WINDOWS%\ FVProtect.exe
This executable file drops into the system a dynamic library (DLL)„userconfig9x.dll“ and executes it.
It also creates these temporary files in the system directory:
base64.tmp
zipped.tmp
zip1.tmp
zip2.tmp
zip3.tmp
The „base64.tmp“ file contains the body of the worm in UUEncoded form and the files „zip1.tmp“ to „zip3.tmp“
contain a zip archive with packed body of the worm.
These files are used by the worm by manufacturing infected email that are sent to gathered email addresses. The names of the files within the zip archives are following:
data.rtf.scr
details.txt.pif
document.txt.exe
The worm creates a mutex to ensure a single running instance. The mutex has a name „_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_“.
To make sure it runs at every system start up it registers in the „Run“ registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = %WINDOWS%\FVProtect.exe
Since the first variant of the worm it fights against another worm called „Bagle“. This variant is no different at this point and it disables „Bagle“ by deleting these registry keys:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
au.exe
d3dupdate.exe
direct.exe
Explorer
gouday.exe
OLE
rate.exe
srate.exe
ssate.exe
sysmon.exe
Taskmon
Windows Services Host
winupd.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DELETE ME
direct.exe
Explorer
jijbl
msgsvr32
sentry
service
System.
Taskmon
video
Windows Services Host
winupd.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
System.
Video
[HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED]
[HKLM\SYSTEM\CurrentControlSet\Services\WksPatch]
The worm Netsky.q searches through the local and network drives for folders containing strings:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
if it finds such a folder it copies itself in there.
This ensures spreading in peet-to-peer (P2P) networks and Instant Messenger (IM) clients.
The variety of names under which the worms copies itself in those directories is vast, so I'll mention just some of them:
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 full.exe
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Serials edition.txt.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
XXX hardcore pics.jpg.exe
3. Sending by email messages:
Worm Netsky.q uses it's own SMTP engine, but it is capable of using the client email server. The email addresses are gathered on the local hard drives in files with following extensions:
*.adb
*.asp
*.cgi
*.dbx
*.dhtm
*.doc
*.eml
*.htm
*.html
*.jsp
*.msg
*.oft
*.php
*.pl
*.rtf
*.sht
*.shtm
*.tbb
*.txt
*.uin
*.vbs
*.wab
*.wsh
*.xml
It ignores addresses containing following strings:
@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir@
reports@
spam@
The infected email has an immense number of variations so I'll post only a few of them. The senders address gets either gathered from the infected computer or it uses on of:
abuse@gov.us
noreply@paypal.com
support@symantec.com
The subject might look like:
Approved
Congratulations!
Do you?
I cannot forget you!
I love you!
Illegal Website
Important
Is that your password?
Postcard
Private document
Re: Free porn
Re: Is that your document?
Re: Its me
Re: Proof of concept
Re: Question
Re: Thank you for delivery
read it immediately
Shocking document
Stolen document
Thank you!
You cannot do that!
but can also be created as a random string.
Samples of body of the email:
Bad Gateway: The message has been attached.
Best wishes, your friend.
Can you confirm it?
Follow the instructions to read the message.
For more details see the attachment.
Greetings from france, your friend.
Here is it!
Here is my phone number.
I am shocked about your document!
I cannot believe that.
I found this document about you.
I have visited this website and I found you in the spammer list. Is that true?
Important message, do not show this anyone!
Please confirm the document.
Please read the attached file.
See the file.
Thank you for your request, your details are attached!
The file is protected with the password ghj001.
Try this game ;-)
Waiting for a Response. Please read the attachment.
Your archive is attached.
Your document is attached.
Your mail account has been closed. For further details see the document.
Your mail account is expired. See the details to reactivate it.
Your photo, uahhh.... , you are naked!
To confuse the user it attaches a fake antivirus notification at the bottom of the email in form like:
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
The attached body of the worm can have a *.exe or *.zip extension.
4. Cleaning:
- Reboot hte PC into the safe mode.
- Erase these files:
%WINDOWS%\ base64.tmp
%WINDOWS%\ FVProtect.exe
%WINDOWS%\ zipped.tmp
%WINDOWS%\ zip1.tmp
%WINDOWS%\ zip2.tmp
%WINDOWS%\ zip3.tmp
- Delete the "Norton Antivirus AV“ item in the following registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = %WINDOWS%\FVProtect.exe
- Reboot the computer into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm - Win32 - Vutsog - a
1. Summary:
Vutsog is a worm that spreads through email messages, security exploits using Peer-To-Peer networks. After a successfull infection, it connects to the IRC and waits for commands.
2. Detailed description:
Worm Vutsog copies the „iexplore.exe“ binary (Internet Explorer) into:
%SYSTEM%\dllcache\iexplore.exe
and copies it's body inplace of the original file:
%PROGRAMFILES%\Internet Explorer\iexplore.exe
To make sure the „system restore“ service won't replace the body of the worm by the original file, the service gets stopped.
It also gets copied into following directories:
%SYSTEM%\dllcache\svchost.exe:svchost.exe
%SYSTEM%\svchost.exe:svchost.exe
%WINDOWS%\lsass.exe
%PROGRAMFILES% \Symantec\LiveUpdate\AUPDATE.EXE
%PROGRAMFILES% \Symantec\LiveUpdate\LUALL.EXE
%PROGRAMFILES% \McAfee.com\Agent\mcupdate.exe
and creates these files:
c:\zyxwvuts.log
%SYSTEM%\msfsr.sys
%SYSTEM%\drivers\[6 random characters].sys (e.g. „gedffa.sys“)
It modifies following registry entries:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SvcHost" = "C:\WINDOWS\system32\svchost.exe:svchost.exe"
[HKLM\SYSTEM\CurrentControlSet\Services \SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"worm file name" = "worm file name":*:enabled:@xpsp2res.dll,-22019"
This assures it's execution at the start up of the computer.
It double checks it's execution by changing the „system.ini“ system file.
It also registers as a service named „SvcHost“ and following description:
„Generic Host Process for Win32 Services. If this service is disabled, any services that explicitly depend on it will fail to start.“
Again it makes sure it will get started by modifying the binaries of the services „srservice“ and „wuauserv“.
The file „msfsr.sys“, created in the system directory, registers as a service.
It searches the running processes and if it finds following processes it terminates them by calling the „NET STOP“ command:
Browser
lanmanserver
McShield
navapsvc
sharedaccess
SymAppCore
wscsvc
It connects to the IRC server and waits for commands, which must originate from the www.mi5.gov.uk“ host.
3. Infection by email:
Vutsog searches following directories for email addresses :
%USERPROFILE%
Local Settings
Temporary Internet Files
and also in the “Windows Address Book”.
It poseses it's own SMTP engine and the sender's address is chosen from the following list:
updates@McAfee.com
updates@Microsoft.com
updates@Symantec.com
Subject of the infected email looks very much like an email delivery failure, but that's just a trick. It is randomly chosen from the following possibilities:
Data format error.
Destination host is not responding.
Mail quota exceeded.
Mail transaction failed.
Mail transaction failed. Data format error.
Mail transaction failed. Mail quota exceeded.
Mail transaction failed. Message is too large.
Mail transaction failed. Partial message is available.
Mail transaction failed. Service unavailable.
Mail transaction failed. Session aborted.
Message is too large.
Network failure.
Service unavailable.
Your message could not be delivered.
Your message is undeliverable.
Your message was not delivered.
There is a huge number of attachment name variations, so I'll mention just some of them:
Alien vs. Predator 2
Angelina Jolie
Command & Conquer 3: Tiberium Wars
Half-Life 2: Aftermath
Halo 3
Jessica Simpson
message
Paris Hilton
pokertechnique
Resident Evil 5
Spider-Man 3
Star Wars: Empire at War
The Hills Have Eyes II
Terminator 4
Unreal Tournament 2007
Virtua Fighter 5
your SSN etc
your bank account details
your financial details
your personal details
your personal information
your tax returns
yourwebsite
youtube-you
The attachments might have one of these extensions:
.gif
.html
.jpeg
.mp3
.rtf
.txt
.wav
.wma
The P2P (Peer-To-Peer) networks are used in a way, that first the worm copies itself onto the local drives into directories containing strings:
BearShare
Collections
Downloads
share
upload
Name of the actual file is again quite big, but usually it is a movie, game or a celebrity e.g.:
American Gangster
Angel-A
Angelina Jolie
Beowulf
Black Book
Carmen Electra
Dallas
Fantastic Four 2
Hostel 2
Jessica Simpson
Paris Hilton
Pathfinder
Prom Night (2007)
Resident Evil 3
Spider-Man 3
Terminator 4
The Hills Have Eyes II
The Simpsons
The Transformers
Untraceable
Vacancy
Wonder Woman
Zodiac
Again the extension is also randomized:
*.scr
*.avi.com
*.mp4.com
*.iso.exe
*.zip.exe
- Full.exe
- Keygen.exe
4. Cleaning:
- Reboot the PC into the safe mode.
- Stop the worm service by clicking the Start Menu -> Run -> and write „services.msc“ - hit OK.
Find the service named „SvcHost“ and stop it: Action -> Properties -> STOP
- Delete these files if they do exist:
%SYSTEM%\dllcache\svchost.exe:svchost.exe
%SYSTEM%\svchost.exe:svchost.exe
%WINDOWS%\lsass.exe
%PROGRAMFILES% \Symantec\LiveUpdate\AUPDATE.EXE
%PROGRAMFILES% \Symantec\LiveUpdate\LUALL.EXE
%PROGRAMFILES% \McAfee.com\Agent\mcupdate.exe
%SYSTEM%\msfsr.sys
%SYSTEM%\drivers\[6 random chars].sys (eg. „gedffa.sys“). File is 6,144 bytes long.
c:\zyxwvuts.log
- Replace the Internet Explorer binary in %PROGRAMFILES%\Internet Explorer\iexplore.exe with the original file „iexplore.exe“, that the worm Vutsog stored in %SYSTEM%\dllcache\iexplore.exe
- Delete following registry keys:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SvcHost" = "C:\WINDOWS\system32\svchost.exe:svchost.exe"
[HKLM\SYSTEM\CurrentControlSet\Services \SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List]
"worm file name" = "worm file name":*:enabled:@xpsp2res.dll,-22019"
- Reboot the PC back into the normal mode
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm Win32 Gatina b
1. Summary:
Gatina.b is 40kB long worm spreading throuhg infected email.
It blocks certain applications concerning the security of the system and also some system functions.
Aliases:
Symantec: W32.Pintae.A@mm
F-Prot: W32/Sillyworm.WI
McAfee: W32/Namuki
2. Detailed description:
After it's execution, the Gatina.b copies itself into the Windows system directory under following names:
%SYSTEM%\AutoRun.bat
%WINDOWS%\Exit to DosPrompt.pif
%WINDOWS%\Mails\data.doc.exe
%WINDOWS%\Mails\document.doc.exe
%WINDOWS%\Mails\info.doc.exe
%WINDOWS%\Mails\readme.doc.exe
%WINDOWS%\Mails\taetae.txt.exe
and also as „MSKernell.bat“ into the profile of currently logged on user:
%USERPROFILE%\Start Menu\Programs\Startup\MSKernell.bat
It creates an entry in the „Run“ key to get executed at the system startup:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"taengtae" = "%SYSTEM%\AutoRun.bat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = %WINDOWS%\FVProtect.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOYPI_KANG_ASTI" = "%WINDOWS%\Exit to DosPrompt.pif"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"taetae" = "%WINDOWS%\Exit to DosPrompt.pif"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"TANG_INA_MO" = "%SYSTEM%\AutoRun.bat"
It disables running registry tools, task manager and folder properties and poses certain „restrictions“ in the Internet Explorer by adding following keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFind" = "1"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoFindFiles" = "1"
As mentioned before Gatina.b tries to block the functionality of certain security software such as
antiviruses, firewalls and all kinds of monitoring applications. It is also capable of closing warning popups of these applications. This list of applications is not complete:
Ad-Aware SE Personal
Anti-Trojan - Infection Monitor
AntiViral Toolkit Pro
BitDefender
eTrust Antivirus - Local Scanner
Kaspersky Anti-Virus Monitor
Kaspersky Anti-Virus Personal
Kaspersky Anti-Virus Scanner
NOD32 Antivirus Program
NOD32 Control Center
Norton AntiVirus
Registry Editor
Registry Monitor
Sophos Anti-Virus - SWEEP
Spybot - Search & Destroy
Sygate Personal Firewall Pro
Windows Firewall
Windows Security Center
Windows Task Manager
WinPatrol
3. Sending by email messages:
Worm Gatina.b is spreading through email with attached infected file. The receiver email addresses get fetched from the „Windows Address Book“. The name of the infected attachment is one of:
data.doc.exe
document.doc.exe
info.doc.exe
readme.doc.exe
taetae.txt..exe
The sender's address gets faked and is set to one of the fllowing:
astig@hotmail.com
lady_juana_cute@hotmail.com
noypi@pinoy.com
Tae@Tae.com
vaNNeo@viruz.com
victim@victim.com
viruz@yahoo.com
Subject is one of:
CDO.Message
FILIPINO'S SECRETS
My Documents
My Victim
New Virus Information
Philippines Government Top Secret
TaeTae Virus Information
The body of the email is chosen from the following bodies depending on the subject:
Hi! Look the Attach Document for more details about FILIPINOS...
HOY! PINOY AKO! BUO AKING LOOB MAY AGIMAT AKO... FOR MORE LYRICS CHECK THE ATTACH FILE...
If your computer has been infected by TaeTae Virus. Open the attach file and follow the instruction to remove the virus...
LYRICS OF BAMBOO AND OTHER BOY BAND
Please read the attach file for more information about computer virus...
The Government of the Philippines revealed the truth. For more information please read the Attach file...
4. Cleaning:
- Rebootn the PC into the safe mode.
- Using an alternative registry tool (regedit is disabled in the registry) mnodify the values of following keys from
„1“ to „0“:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFind" = "1"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoFindFiles" = "1"
This reverses all the restrictions posed by the worm and you can use the regedit tool again.
- Delete following entries in the registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"taengtae" = "%SYSTEM%\AutoRun.bat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = %WINDOWS%\FVProtect.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOYPI_KANG_ASTI" = "%WINDOWS%\Exit to DosPrompt.pif"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"taetae" = "%WINDOWS%\Exit to DosPrompt.pif"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"TANG_INA_MO" = "%SYSTEM%\AutoRun.bat
- Erase the following files:
%SYSTEM%\AutoRun.bat
%WINDOWS%\Exit to DosPrompt.pif
%WINDOWS%\Mails\data.doc.exe
%WINDOWS%\Mails\document.doc.exe
%WINDOWS%\Mails\info.doc.exe
%WINDOWS%\Mails\readme.doc.exe
%WINDOWS%\Mails\taetae.txt.exe
%USERPROFILE%\Start Menu\Programs\Startup\MSKernell.bat
- Reboot the computer into the normal mode.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
Worm – Win32 – Reploret
1. Summary:
Reploret is a worm that spreads through the “mapped network drives” and removable media.
2. Detailed description:
After execution, the worm copies itself into following location:
%SYSTEM%/drivers\Uninstall.exe
It also creates following registry keys:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
[HKLM \SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}]
It tries to copy itself in a regular intervals into the roots of the drives C:\ to P:\. On the C:\ drive it creates a file „more.exe“. On the rest of the drives (D:\ to P:\) it uses the name „Hay.exe“.
It sometimes also creates a „desktop.ini“ file in the root directory of the infected drive.
It create a file "autorun.inf" on every infected disk for the case the drive was a removable media. This secures automatic execution of the worm after the user plugs the removable media in.
4. Cleaning:
- Reboot the PC into the safe mode.
- Erase the following files if they exist:
%SYSTEM%/drivers\Uninstall.exe
C:\more.exe
C:\autorun.inf
D:\Hay.exe
D:\autorun.inf
E:\Hay.exe
E:\autorun.inf
F:\Hay.exe
F:\autorun.inf
G:\Hay.exe
G:\autorun.inf
H:\Hay.exe
H:\autorun.inf
I:\Hay.exe
I:\autorun.inf
J:\Hay.exe
J:\autorun.inf
K:\Hay.exe
K:\autorun.inf
L:\Hay.exe
L:\autorun.inf
M:\Hay.exe
M:\autorun.inf
N:\Hay.exe
N:\autorun.inf
O:\Hay.exe
O:\autorun.inf
P:\Hay.exe
P:\autorun.inf
- Delete the following registry keys:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}]
[HKLM \SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}]
- Reboot the PC back into the normal mode.
- Update your antivirus and run a complete test.
0 writebacks [04/19/2007 05:38]
[]
permanent link
|
|
| July 2010 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
|
|
|
1 |
2 |
3 |
| 4 |
5 |
6 |
7 |
8 |
9 |
10 |
| 11 |
12 |
13 |
14 |
15 |
16 |
17 |
| 18 |
19 |
20 |
21 |
22 |
23 |
24 |
| 25 |
26 |
27 |
28 |
29 |
30 |
31 |
Rss version
|
