Trojan Win32 Infostealer Gampass
1. Summary:
Infostealer.Gampass is a trojan horse with variable length of it's body. It's purpose is to steal passwords of gaming accounts of a number of online games. It records all keystrokes and sends these data to the attacker.
Aliases:
Computer Associates: Lineage.YI
Symantec: Bloodhound.KillAV
2. Detailed description:
Infostealer is a term that stands for all dangerous applications and trojan horses, that steal passwords of online gaming accounts - e.g. Lineage, Rohan or Ragnarok.
Trojan horse Infostealer.Gampass copies itself after the first execution into the %WINDOWS% directory under a randomly generated filename.
Trojan Infostealer.Gampass can create DLL libraries in the %SYSTEM% directory, also using random strings as filenames.
To secure it's execution after each restart, the Infostealer.Gampass adds a full path to it's binary into the run registry key.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
If it detects any of the following programms running, it terminates them immediately:
adam.exe
eghost.exe
iparmor.exe
kavpfw.exe
mailmon.exe
RavMon.exe
Ravmond.exe
3. Cleaning:
- As in this case we deal with a very variable infectionality, I recommend using standard antivirus software to remove this infiltration.
DO NOT TRY TO REMOVE THIS TROJAN HORSE BY HAND!!!
0 writebacks [10/29/2007 02:46]
[]
permanent link
|
Worm Win32 Ogleon a
1. Summary:
Ogleon.a is a 282 kB long worm, spreading through removable media. It also creates and runs the Infostealer.Gampass trojan horse.
Aliases:
Symantec: W32.Ogleon.A
2. Detailed description:
After the first run, the Ogleon.a worm creates in the current directory (the directory where the binary resides) following files:
npptools.dll
Packet.dll
WanPacket.dll
and creates sys file (driver) in the Windows system directory:
%SYSTEM%\drivers\npf.sys
Worm Ogleon.a also creates number of other files in the Windows system directory:
%SYSTEM%\ctfnom.exe
%SYSTEM%\dh2103.dll
%SYSTEM%\dllhost32.exe
%SYSTEM%\ebspi.dll
%SYSTEM%\mh104.dll
%SYSTEM%\mosou.dll
%SYSTEM%\mosou.exe
%SYSTEM%\MsAudio.sys
%SYSTEM%\nwizdh.exe
%SYSTEM%\nwizfy.dll
%SYSTEM%\nwizfy.exe
%SYSTEM%\nwizhx2.dll
%SYSTEM%\nwizhx2.exe
%SYSTEM%\nwizqjsj.exe
%SYSTEM%\nwiztlbb.dll
%SYSTEM%\nwiztlbu.exe
%SYSTEM%\nwizwlwzs.dll
%SYSTEM%\nwizwlwzs.exe
%SYSTEM%\nwizwmgjs.dll
%SYSTEM%\nwizwmgjs.exe
%SYSTEM%\nwizzhuxians.dll
%SYSTEM%\nwizzhuxians.exe
%SYSTEM%\Ravasktao.dll
%SYSTEM%\Ravasktao.exe
%SYSTEM%\ztinetzt.dll
%SYSTEM%\ztinetzt.exe
%SYSTEM%\drivers\usbine.sys
All of these files contain the body of the trojan horse Infostealer.Gampass.
Worm Ogleon.a creates following keys in the run registry keys (not only HKLM) - a standard way how to get executed at each system startup:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"twin" = "%SYSTEM%\ctfnom.exe"
[HKLM \Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Autorun1" = "%SYSTEM%\nwizdh.exe"
"Microsoft Autorun3" = "%SYSTEM%\nwizhx2.exe"
"Microsoft Autorun4" = "%SYSTEM%\dllhost32.exe"
"Microsoft Autorun5" = "%SYSTEM%\mosou.exe"
"Microsoft Autorun7" = "%SYSTEM%\nwiztlbu.exe"
"Microsoft Autorun9" = "%SYSTEM%\Ravasktao.exe"
"Microsoft Autorun10" = "%SYSTEM%\nwizwmgjs.exe"
"Microsoft Autorun11" = "%SYSTEM%\nwizwlwzs.exe"
"Microsoft Autorun12" = "%SYSTEM%\nwizzhuxians.exe"
"Microsoft Autorun14" = "%SYSTEM%\ztinetzt.exe"
"Microsoft Autorun20" = "%SYSTEM%\nwizfy.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svc" = "%CURRENTFOLDER%\Googleon.exe"
Afterwards the worm Ogleon.a deletes the registry entry:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = ""
Ogleon.a searches the local drives for files with following extensions:
*.asp
*.aspx
*.htm
*.html
*.jsp
*.php
and writes text after the opening tag.
The worm may try to connect to the website yz1.micyosoft.net .
Worm Ogleon.a also creates a memory mutex named:
bat326exe
If it fails to create the mutex (meaning other instance of the worm is already running), it immediately terminates. This way it makes sure only one instance of the worm is in the memory at the same time.
3. Infection by removable media:
Worm Ogleon.a copies itself to the root (/) directory of all removable media attached to the computer under the name:
wsnctfy.exe
It also creates an autorun.inf file in the root directory to make the media run the worm after it gets mounted.
4. Cleaning:
- Reboot the PC into the safe mode.
- Delete following files:
%SYSTEM%\ctfnom.exe
%SYSTEM%\dh2103.dll
%SYSTEM%\dllhost32.exe
%SYSTEM%\drivers\npf.sys
%SYSTEM%\ebspi.dll
%SYSTEM%\mh104.dll
%SYSTEM%\mosou.dll
%SYSTEM%\mosou.exe
%SYSTEM%\MsAudio.sys
%SYSTEM%\nwizdh.exe
%SYSTEM%\nwizfy.dll
%SYSTEM%\nwizfy.exe
%SYSTEM%\nwizhx2.dll
%SYSTEM%\nwizhx2.exe
%SYSTEM%\nwizqjsj.exe
%SYSTEM%\nwiztlbb.dll
%SYSTEM%\nwiztlbu.exe
%SYSTEM%\nwizwlwzs.dll
%SYSTEM%\nwizwlwzs.exe
%SYSTEM%\nwizwmgjs.dll
%SYSTEM%\nwizwmgjs.exe
%SYSTEM%\nwizzhuxians.dll
%SYSTEM%\nwizzhuxians.exe
%SYSTEM%\Ravasktao.dll
%SYSTEM%\Ravasktao.exe
%SYSTEM%\ztinetzt.dll
%SYSTEM%\ztinetzt.exe
%SYSTEM%\drivers\usbine.sys
- Find and delete these files:
npptools.dll
Packet.dll
WanPacket.dll
- Delete the entry twin from the registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"twin" = "%SYSTEM%\ctfnom.exe"
- Delete the svc entry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svc" = "%CURRENTFOLDER%\Googleon.exe"
- Delete the entries Microsoft Autorun1 to Microsoft Autorun20 residing in this key:
[HKLM \Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Autorun1" = "%SYSTEM%\nwizdh.exe"
"Microsoft Autorun3" = "%SYSTEM%\nwizhx2.exe"
"Microsoft Autorun4" = "%SYSTEM%\dllhost32.exe"
"Microsoft Autorun5" = "%SYSTEM%\mosou.exe"
"Microsoft Autorun7" = "%SYSTEM%\nwiztlbu.exe"
"Microsoft Autorun9" = "%SYSTEM%\Ravasktao.exe"
"Microsoft Autorun10" = "%SYSTEM%\nwizwmgjs.exe"
"Microsoft Autorun11" = "%SYSTEM%\nwizwlwzs.exe"
"Microsoft Autorun12" = "%SYSTEM%\nwizzhuxians.exe"
"Microsoft Autorun14" = "%SYSTEM%\ztinetzt.exe"
"Microsoft Autorun20" = "%SYSTEM%\nwizfy.exe"
- Reboot the PC back into the normal mode
0 writebacks [10/28/2007 02:37]
[]
permanent link
|
Trojan Win32 Flogash a
1. Summary:
Flogash.a is a trojan horse sized from 384 kB to 1,45 MB. It steals sensitive data such as key strokes and sends them back to the attacker.
Aliases:
Symantec: Trojan.Flogash
2. Detailed description:
After the first run, the trojan Flogash.a creates four files in the Windows system directory"
%SYSTEM%\div52x
%SYSTEM%\div52x.exe
%SYSTEM%\nvfw96
%SYSTEM%\nvfw96.exe
Trojan Flogash.a may also create executable Macromedia Flash files in the %TEMP% directory.
Next, the Trojan creates the following registry entries so that it gets executed whenever Windows starts:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1871276A-3AE9-E43D-0400-000505000107}]
"StubPath"="%System%\div52x.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{076200C7-8302-FDAA-0404-070602000300}]
"StubPath"="%System%\nvfw96.exe"
Trojan Flogash.a injects itself into the running instance of the Microsoft Explorer (attention, Explorer is not the Microsoft Internet Explorer and runs always on the background) and grabs all user key strokes and stores them in the Windows system directory:
%SYSTEM%\div52x
%SYSTEM%\nvfw96
The information about infected computers as well as all the gathered data (including passwords, ebanking information etc.) are sent by the Flogash.a back to the attacker using TCP port 82 or 6112 to create the socket to hosts:
dasmurmeltier.ath.cx
sucka.mine.nu
These are dynamic dns hosts and the attacker can change the DNS so that the targeting ip gets changed.
3. Cleaning:
- Reboot the PC into the safe mode.
- Delete the files:
%SYSTEM%\div52x
%SYSTEM%\div52x.exe
%SYSTEM%\nvfw96
%SYSTEM%\nvfw96.exe
- Delete the whole key '{1871276A-3AE9-E43D-0400-000505000107}' from this registry key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1871276A-3AE9-E43D-0400-000505000107}]
"StubPath"="%System%\div52x.exe"
- The same goes for '{076200C7-8302-FDAA-0404-070602000300}' from the key:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{076200C7-8302-FDAA-0404-070602000300}]
"StubPath"="%System%\nvfw96.exe"
- Reboot back into the normal mode
0 writebacks [10/24/2007 02:11]
[]
permanent link
|
Worm - Win32 - Svich - a
1. Summary:
Svich.a is a 244 kB long worm spreading through Yahoo! Instant Messenger and removable media.
It is capable of downloading other possibly dangerous applications from the Internet. It also lowers the level of security of the infected PC.
Aliases:
Symantec: W32.Svich
2. Detailed description:
After the first execution, the Svich.a worm creates a couple of files in the system directory.
%SYSTEM%\autorun.ini
%SYSTEM%\ssichosst.exe
%WINDIR%\ssichosst.exe
%WINDIR%\Tasks\At1.job
The 'ssichosst.exe' file contains the body of the worm.
The 'At1.job' file is a new task in the Task Scheduler of the Windows system. This task gets executed at 9 AM each day and secures the re-execution of the worm.
Worm Svich.a searches the local drives and copies it's body into each directory it finds.
The filename gets generated according to the content of the directory, mainly it's subdirectories.
Example:
In the C:\Downloads directory resides a subdirectory named:
C:\Downloads\WhitePages\
Worm Svich.a creates a file in the 'Downloads' directory named:
C:\Downloads\WhitePages.exe
It also creates "standard" registry run keys:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "C:\WINDOWS\system32\ssvichosst.exe"
and makes sure it gets ran by adding another entry into the Winlogon key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe ssvichosst.exe"
Worm Svich.a modifies following registry entries:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NofolderOptions" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
This protects the worm by disabling directory properties, registry editor and task manager.
Worm Svich.a downloads it's configuration file from the Internet from one of the following urls:
nhatquanglan3.t35.com/setting.ini
nhatquanglan4.t35.com/setting.ini
This file gets stored in the system directory:
%SYSTEM%\setting.ini
The file can hold a list of urls (not more than 3) that the worm tries to contact in order to obtain another probably dangerous code. This process gets repeated on a daily basis. If it succeeds it stores the files in the system directory:
%SYSTEM%\check01.exe
%SYSTEM%\check02.exe
%SYSTEM%\check03.exe
If Svich.a finds that a process named 'game_y.exe' is running, the worm terminates it immediately.
3. Infection by removable media:
Svich.a copies itself into the root (/) directory of all removable media connected to the computer under one of the names:
New Folder.exe
ssvichosst.exe
To make sure it will run as soon as the media gets connected, it creates an autorun.inf file.
4. Spreading by Instant Messengers:
As mentioned earlier, the Svich.a worm spreads mainly using the Yahoo! Instant Messenger client.
It does this by using the client's contact list and sending a text containing a url. This url is responsible for installing the worm after it gets loaded by user's browser.
The text that gets sent along with the url is in Vietnamese and can be one of the following:
Biet tin gi chua, vao day coi di [url removed for security reasons]
E may, vao day coi co con nho nay ngon lam [url removed for security reasons]
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [url removed for security reason]
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [url removed for security reasons]
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... [url removed for security reasons]
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [url removed for security reasons]
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? [url removed for security reasons]
Trang Web nay coi cung hay, vao coi thu di [url removed for security reasons]
Vao day nghe bai nay di ban [url removed for security reasons]
The attached url gets changed according to the stored configuration file mentioned in the previous sections.
4. Cleaning:
- Reboot the PC into the safe mode.
- Delete the files:
%SYSTEM%\autorun.ini
%SYSTEM%\check01.exe
%SYSTEM%\check02.exe
%SYSTEM%\check03.exe
%SYSTEM%\setting.ini
%SYSTEM%\ssichosst.exe
%SYSTEM%\ssvichosst.exe
%WINDIR%\ssichosst.exe
%WINDIR%\Tasks\At1.job
- Delete these files from the root of all removable media:
autorun.inf
New Folder.exe
ssvichosst.exe
- Delete the 'Yahoo Messengger' entry from the registry:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "C:\WINDOWS\system32\ssvichosst.exe"
- Delete the 'Shell' entry from the registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe ssvichosst.exe"
- Modify the entry 'NofolderOptions' from value '1' to '0':
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NofolderOptions" = "1"
- Modify the 'DisableTaskMgr' entry from value '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
- Modify the entry 'DisableRegistryTools' from value '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
- Reboot the computer back into the normal mode.
0 writebacks [10/23/2007 09:27]
[]
permanent link
|
Worm Win32 Pifio a
1. Summary:
Pifio.a is a 19kB long worm. It spreads using removable media.
It may download other possibly harmfull applications from the Internet. It terminates running security related processes as firewalls and antiviruses.
Aliases:
Symantec: W32.Pifio
2. Detailed description:
At the time of it's first execution, the Pifio.a creates two files in the system directory:
%COMMONPROGRAMFILES%\Services\svchost.exe
%SYSTEM%\DirectX9.dll
%COMMONPROGRAMFILES% stands for the 'Common Files' directory in the program files menu. The location of the directory can vary, but usually it can be found in C:\Program Files\Common Files
Worm Pifio.a creates entries in the 'run' keys. This way it is executed at the system boot up.
[HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}]
"StubPath" = "C:\Program Files\Common Files\Services\svchost.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "C:\Program Files\Common Files\Services\svchost.exe"
Worm Pifio.a terminates following security related applications:
Norton Antivirus Auto Protect Service
mcshield
System Restore Service
Windows Firewall/Internet Connection Sharing (ICS)
It also checks the owners of running processes and terminates any of them if their owner application is one of the following:
360safe.exe
360tray.exe
eghost.exe
iparmor.exe
kavpfw.exe
mailmon.exe
msconfig.exe
regedit.exe
RogueCleaner.exe
taskgmr.exe
TForm1
Windows Security Center
WoptiClean.exe
Worm Pifio.a is capable of downloading other code from the Internet. This way it is also capable of updating itself. It tries to connect to the following domain name:
591down.com
3. Infection by removable media:
Worm Pifio.a copies itself into the root (/) directory of all the attached removable media under the name:
IO.pif
It also creates an autorun.inf file to run the IO.pif file after the media gets attached the next time.
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete following files from the local drives:
%COMMONPROGRAMFILES%\Services\svchost.exe
%SYSTEM%\DirectX9.dll
- Delete following files from the root of all removable media attached:
autorun.inf
io.pif
- Delete the entry 'StubPath' from the registry key:
[HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}]
"StubPath" = "C:\Program Files\Common Files\Services\svchost.exe"
- Delete the 'Default' entry from the keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "C:\Program Files\Common Files\Services\svchost.exe"
- Reboot the PC back into the normal mode.
0 writebacks [10/17/2007 00:42]
[]
permanent link
|
Worm Win32 Vediance a
1. Summary:
Vediance.a is 57 kB long worm that spreads using removable media.
Aliases:
Symantec: W32.Vediance
2. Detailed description:
After the first execution, the worm Vediance.a creates these files:
%SYSTEM%\notepad.exe
%SYSTEM%\taskmger.com
After successful infection, the Vediance.a worm creates a file to mark the infection:
%WINDOWS%\TEaM_DEViANCE.txt
Worm Vediance.a creates entries in the 'run' registry key to make sure it gets started with the system:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"userd" = "C:\WINDOWS\RECYCLER\systems.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systry" = "C:\WINDOWS\system32\notepad.exe"
To double check it's execution at the startup it also creates an entry in the 'Winlogon' registry key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe taskmger.com"
Worm Vediance.a modifies following registry entries:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskmgr" = "1"
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
This disables using the registry editora (regedit.exe) and Task Manager (taskmgr.exe).
It erases all mp3 files found on the PC.
3. Infection by removable media:
Worm Vediance.a searches for attached removable media where it creates following files in their respective root directories:
%DRIVE%\MyPictures.exe
%DRIVE%\systems.com
It also tries to copy itself into the 'Recycler' folder on the removable media under the name:
%DRIVE%\RECYCLER\systems.com
%DRIVE% is drive ID (for example A:\) of removable disk(s).
It also creates an autorun file to execute itself after reattaching the device.
%DRIVE%\autorun.inf
5. Cleaning:
- Reboot the computer into the safe mode.
- Remove the following files from the local hard drives:
%SYSTEM%\notepad.exe
%SYSTEM%\taskmger.com
%WINDOWS%\TEaM_DEViANCE.txt
- Remove following files from the removable media:
%DRIVE%\autorun.inf
%DRIVE%\MyPictures.exe
%DRIVE%\systems.com
%DRIVE%\RECYCLER\systems.com
- Delete these registry entries:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"userd" = "C:\WINDOWS\RECYCLER\systems.com"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systry" = "C:\WINDOWS\system32\notepad.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe taskmger.com"
- Modify the value of the entry 'DisableTaskmgr' from '1' to '0':
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskmgr" = "1"
- And the same goes for the 'DisableRegistryTools' value in:
[HKAU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
- Reboot the computer back into the normal mode
0 writebacks [10/16/2007 04:52]
[]
permanent link
|
Worm Win32 Wallon - a
1. Summary:
Wallon.a is a worm with variable size beggining from 36 kB to 150 kB. It spreads using mass email spamming. The emails contain an url link pointing at an infected file on the Internet. The worm also includes it's own SMTP engine.
Aliases:
BitDefender: Win32.Wallon.A@mm
Frisk: VBS/Sinkin.E
Kaspersky: I-Worm.Wallon.a
McAfee: W32/Wallon!html
RAV: VBS/Wallon.A
Symantec: JS.Fortnight.D
2. Detailed description:
After clicking on the url link in the infected email, the worm exploits a known vulnerability in the Microsoft Internet Explorer marked as MS04-004 and downloads the file:
wmplayer.exe
This file get's stored in the root of the C:\ drive under the name:
C:\Alpha.exe
Next, it moves the file to the original location of the Windows Media Player.
This way every time the Windows Mesia Player ('wmplayer.exe') tries to run any media file, the worm Wallon.a creates yet another copy of itself.
Wallon.a creates the 'Wh' entry in the registry:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"Wh"="Yes"
This serves the sole purpose of marking the infected computer.
Every time the Wallon.a worm gets executed it tries to create following registry entries:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
By doing this, the Wallon.a worm adds 5 new buttons into the Microsoft Internet Explorer. All of these buttons open following website upon clicking on them:
http://www.google.com.super-fast-search.apsua.com.
Worm Wallon.a also modifies the 'Start Page' and 'Search Page' entries in the registry:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.google.com.super-fast-search.apsua.com/fast-find.htm"
"Search Page" = "http://www.google.com.super-fast-search.apsua.com/search.htm"
This way every time the Internet Explorer gets executed it loads the website:
http://www.google.com.super-fast-search.apsua.com/fast-find.htm
as well as all the searches the user tries to make go to:
http://www.google.com.super-fast-search.apsua.com/search.htm
3. Spreading by email messages
As mentioned before, the Wallon.a worm has it's own SMTP engine, so every infected computer can be used as spam server.
Email addresses get collected from the 'Windows Address Book' (WAB), but it makes sure not to include any address containing one of these strings:
admin
microsoft
ostmaster
software
support
webmaster
The sender's address is taken from the registry:
[HKCU\Software\Microsoft\Internet Account Manager\Accounts]
The infected email looks like:
Subject: RE:
Body of the email: The body contains a hidden url formed
'http://drs.yahoo.com/[RECIPIENT DOMAIN]/NEWS'
The 'RECIPIENT DOMAIN' gets rewritten by the reciever's domain.
Example: Let's say the target address of the infected email is 'nick@mywebsite.com', then the address in the body of the email will look like:
http://drs.yahoo.com/mywebsite/NEWS
Worm also sends all gathered email addresses to the following email (probably the author of the Wallon.a):
1@600pics.cjb.net
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete the C:\Alpha.exe file
- Reinstall the Windows Media Player ('wmplayer.exe') from the Windows installation CD.
- Delete following registry keys:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B1}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B2}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B3}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B4}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{FE5A1910-F121-11d2-BE9E-01C04A7936B5}]
- Delete the 'Wh' entry from the registry:
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"Wh"="Yes"
- Modify the 'Start Page' entry to the 'about:blank' value
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.google.com.super-fast-search.apsua.com/fast-find.htm"
- Change the 'Search Page' entry to 'http://www.google.com':
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.google.com.super-fast-search.apsua.com/search.htm"
- Reboot the computer back into the normal mode.
0 writebacks [10/16/2007 04:48]
[]
permanent link
|
|
| March 2010 |
|---|
| Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
| |
1 |
2 |
3 |
4 |
5 |
6 |
| 7 |
8 |
9 |
10 |
11 |
12 |
13 |
| 14 |
15 |
16 |
17 |
18 |
19 |
20 |
| 21 |
22 |
23 |
24 |
25 |
26 |
27 |
| 28 |
29 |
30 |
31 |
|
|
|
Rss version
|
