Worm Win32 Vediance a
1. Summary:
Vediance.a is 57 kB long worm that spreads using removable media.
Aliases:
Symantec: W32.Vediance
2. Detailed description:
After the first execution, the worm Vediance.a creates these files:
%SYSTEM%\notepad.exe
%SYSTEM%\taskmger.com
After successful infection, the Vediance.a worm creates a file to mark the infection:
%WINDOWS%\TEaM_DEViANCE.txt
Worm Vediance.a creates entries in the 'run' registry key to make sure it gets started with the system:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"userd" = "C:\WINDOWS\RECYCLER\systems.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systry" = "C:\WINDOWS\system32\notepad.exe"
To double check it's execution at the startup it also creates an entry in the 'Winlogon' registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe taskmger.com"
Worm Vediance.a modifies following registry entries:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskmgr" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
This disables using the registry editora (regedit.exe) and Task Manager (taskmgr.exe).
It erases all mp3 files found on the PC.
3. Infection by removable media:
Worm Vediance.a searches for attached removable media where it creates following files in their respective root directories:
%DRIVE%\MyPictures.exe
%DRIVE%\systems.com
It also tries to copy itself into the 'Recycler' folder on the removable media under the name:
%DRIVE%\RECYCLER\systems.com
%DRIVE% is drive ID (for example A:\) of removable disk(s).
It also creates an autorun file to execute itself after reattaching the device.
%DRIVE%\autorun.inf
5. Cleaning:
- Reboot the computer into the safe mode.
- Remove the following files from the local hard drives:
%SYSTEM%\notepad.exe
%SYSTEM%\taskmger.com
%WINDOWS%\TEaM_DEViANCE.txt
- Remove following files from the removable media:
%DRIVE%\autorun.inf
%DRIVE%\MyPictures.exe
%DRIVE%\systems.com
%DRIVE%\RECYCLER\systems.com
- Delete these registry entries:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"userd" = "C:\WINDOWS\RECYCLER\systems.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systry" = "C:\WINDOWS\system32\notepad.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe taskmger.com"
- Modify the value of the entry 'DisableTaskmgr' from '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskmgr" = "1"
- And the same goes for the 'DisableRegistryTools' value in:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
- Reboot the computer back into the normal mode
0 writebacks [10/16/2007 04:52]
[]
permanent link
|
Worm Win32 Wallon - a
1. Summary:
Wallon.a is a worm with variable size beggining from 36 kB to 150 kB. It spreads using mass email spamming. The emails contain an url link pointing at an infected file on the Internet. The worm also includes it's own SMTP engine.
Aliases:
BitDefender: Win32.Wallon.A@mm
Frisk: VBS/Sinkin.E
Kaspersky: I-Worm.Wallon.a
McAfee: W32/Wallon!html
RAV: VBS/Wallon.A
Symantec: JS.Fortnight.D
2. Detailed description:
After clicking on the url link in the infected email, the worm exploits a known vulnerability in the Microsoft Internet Explorer marked as MS04-004 and downloads the file:
wmplayer.exe
This file get's stored in the root of the C:\ drive under the name:
C:\Alpha.exe
Next, it moves the file to the original location of the Windows Media Player.
This way every time the Windows Mesia Player ('wmplayer.exe') tries to run any media file, the worm Wallon.a creates yet another copy of itself.
Wallon.a creates the 'Wh' entry in the registry:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"Wh"="Yes"
This serves the sole purpose of marking the infected computer.
Every time the Wallon.a worm gets executed it tries to create following registry entries:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
By doing this, the Wallon.a worm adds 5 new buttons into the Microsoft Internet Explorer. All of these buttons open following website upon clicking on them:
http://www.google.com.super-fast-search.apsua.com.
Worm Wallon.a also modifies the 'Start Page' and 'Search Page' entries in the registry:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.google.com.super-fast-search.apsua.com/fast-find.htm"
"Search Page" = "http://www.google.com.super-fast-search.apsua.com/search.htm"
This way every time the Internet Explorer gets executed it loads the website:
http://www.google.com.super-fast-search.apsua.com/fast-find.htm
as well as all the searches the user tries to make go to:
http://www.google.com.super-fast-search.apsua.com/search.htm
3. Spreading by email messages
As mentioned before, the Wallon.a worm has it's own SMTP engine, so every infected computer can be used as spam server.
Email addresses get collected from the 'Windows Address Book' (WAB), but it makes sure not to include any address containing one of these strings:
admin
microsoft
ostmaster
software
support
webmaster
The sender's address is taken from the registry:
[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
The infected email looks like:
Subject: RE:
Body of the email: The body contains a hidden url formed
'http://drs.yahoo.com/[RECIPIENT DOMAIN]/NEWS'
The 'RECIPIENT DOMAIN' gets rewritten by the reciever's domain.
Example: Let's say the target address of the infected email is 'nick@mywebsite.com', then the address in the body of the email will look like:
http://drs.yahoo.com/mywebsite/NEWS
Worm also sends all gathered email addresses to the following email (probably the author of the Wallon.a):
1@600pics.cjb.net
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete the C:\Alpha.exe file
- Reinstall the Windows Media Player ('wmplayer.exe') from the Windows installation CD.
- Delete following registry keys:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
- Delete the 'Wh' entry from the registry:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"Wh"="Yes"
- Modify the 'Start Page' entry to the 'about:blank' value
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.google.com.super-fast-search.apsua.com/fast-find.htm"
- Change the 'Search Page' entry to 'http://www.google.com':
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.google.com.super-fast-search.apsua.com/search.htm"
- Reboot the computer back into the normal mode.
0 writebacks [10/16/2007 04:48]
[]
permanent link
|
