Vollständige Virenbeschreibung

Nume:	Worm/Arduk.G
Descoperit pe data de:	15/07/2005
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut spre mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	13.312 Bytes
MD5:	383a48fe9d8e8d8ba3240756d686c696
Versiune VDF:	6.25.0.18

General Metoda de raspandire:
   • Email

Alias:
   • Symantec: W32.Adurk@mm
   • Mcafee: W32/Ardurk.gen@MM
   • Kaspersky: Email-Worm.Win32.Ardurk.g
   • TrendMicro: WORM_ADURK.A
   • Sophos: W32/Ardurk-G
   • VirusBuster: I-Worm.Ardurk.G

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\%fisier executat%.exe

Scrie pe disc o copie a lui alegand numele fisierului dintr-o lista:
Folosind unul din urmatoarele nume:
   • %fiecare fisier *.htm%.exe

O sectiune este adaugata fisierului.
– Catre: %fiecare fisier *.htm%.exe Cu urmatorul continut:
   • <OBJECT type="application/x-oleobject"CLASSID="%CLSID generate%"></OBJECT><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Namesd"="%fisier executat%.exe"

Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %fisier executat%.exe]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "DisplayName"="%fisier executat%.exe"
   • "ObjectName"="LocalSystem"
   • "ImagePath"="%SYSDIR%\%fisier executat%.exe "

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %fisier executat%.exe\Enum]
   • "0"="Root\\LEGACY_%fisier executat%.EXE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %fisier executat%.exe\Security]
   • Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

Urmatoarele chei sunt adaugate in registrii sistemului:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%fisier executat%.EXE]
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%fisier executat%.EXE\0000]
   • "Service"="%fisier executat%.exe"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="%fisier executat%.exe"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\
   LEGACY_%fisier executat%.EXE\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="%fisier executat%.exe"

– HKCR\CLSID\{%CLSID generate%}\LocalServer32]
   • @="%directorul de activare malware%\\%fisier executat%.exe"

– [HKCR\CLSID\{%CLSID generate%}]
   • @="%fiecare fisier *.htm%.exe"

– [HKCR\CLSID\{%CLSID generate%}\LocalServer32]
   • @="%directorul de activare malware%\\%fiecare fisier *.htm%.exe"

Urmatoarele chei din registri sunt modificate:

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   Vechea valoare:
   • @=dword:0000000a
   Noua valoare:
   • @=dword:0000000d

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
   Vechea valoare:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
   Noua valoare:
   • "C"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,43,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,00,00,\
      54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "d"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,64,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,64,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00
     "e"=hex(7):43,00,53,00,43,00,46,00,6c,00,61,00,67,00,73,00,3d,00,30,00,00,00,\
      4d,00,61,00,78,00,55,00,73,00,65,00,73,00,3d,00,34,00,32,00,39,00,34,00,39,\
      00,36,00,37,00,32,00,39,00,35,00,00,00,50,00,61,00,74,00,68,00,3d,00,65,00,\
      3a,00,5c,00,00,00,50,00,65,00,72,00,6d,00,69,00,73,00,73,00,69,00,6f,00,6e,\
      00,73,00,3d,00,30,00,00,00,52,00,65,00,6d,00,61,00,72,00,6b,00,3d,00,65,00,\
      00,00,54,00,79,00,70,00,65,00,3d,00,30,00,00,00,00,00

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.

Catre:
– Adrese de email gasite pe sistem.

Subiect:
Urmatorul:
   • CARTOON %sir de 3 caractere aleatoare%

Corpul email-ului:
– Contine cod HTML.
– Contine un link catre alt malware.

Corpul email-ului este:

   • CARTOON %sir de 3 caractere aleatoare%
     The
     1 Site for: Cartoons, Hentai & Anime HORNY LITTLE TOONS
     EXCLUSIVE HENTAI CONTENT
     EROTIC ANIME MOVIES
     NEVER SEEN BEFORE CARTOON SLUTS
     JAPANESE MANGA TOONS

     ENTER CARTOON %sir de 3 caractere aleatoare% HERE!!

     To unsubscribe click here "http://**********.net/remove/remove.php"


Atasament:
Numele fisierului atasat este alcatuit dupa cum urmeaza:

– Incepe cu unul din urmatoarele:
   • CARTOON_

continuand cu una din urmatoarele:
   • %sir de 3 caractere aleatoare%

    Extensia fisierului este una din urmatoarele:
   • .exe

Cateva exemple de nume al fisierului atasat:
   • CARTOON_222.exe
   • CARTOON_021.exe

Email-ul arata astfel:

Email Cautare adrese:
Cauta adrese de email in urmatorul fisier:
• HTM

Alte informatii Mutex:
Creeaza urmatorul mutex:
   • _NextPart_%03d_%04X_%08.8lX.%08.8lX

Network Sharing:
Se creeaza urmatoarele share-uri:
   • C:\
   • D:\

Die Beschreibung wurde erstellt von Catalin Jora am Mittwoch, 3. August 2005
Die Beschreibung wurde geändert von Catalin Jora am Freitag, 19. August 2005

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools