Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Name:VBS/Small.Sasan.A
Entdeckt am:08/11/2007
Art:Worm
In freier Wildbahn:Nein
Gemeldete Infektionen:Niedrig
Verbreitungspotenzial:Niedrig bis mittel
Schadenspotenzial:Niedrig bis mittel
Statische Datei:Ja
Dateigre:10.164 Bytes
MD5 Prfsumme:efe528483fd3c6ed75a8c1e016026e10
VDF Version:7.00.00.185
IVDF Version:7.00.00.192 - Donnerstag, 8. November 2007

 General Verbreitungsmethode:
   • Gemappte Netzlaufwerke


Aliases:
   •  Sophos: VBS/Sasan-Fam
   •  Grisoft: VBS/LoveLetter


Betriebsysteme:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Terminierung von Sicherheitsprogrammen
   • Erstellt eine Datei
   • nderung an der Registry


Nach Aktivierung wird ein Windows Programm gestartet welches folgendes Fenster anzeigt:





   Merlin: Huh..Banjarbaru makin panas aja ya
   Merlin: It's now time to work. Jangan ngerumpi mulu..
   Merlin: Hope you enjoy today.
   Merlin: Komputernya ta dinginin dulu OK
   Merlin: Cape dech, Bye Bye Ahh!

 Dateien Kopien seiner selbst werden hier erzeugt:
   • %sysdir%\ctfmon.exe.vbe
   • %Laufwerk%\Thumbs.db.vbe
   • %Laufwerk%\%gelschte Datei%.vbe

Folgendes Verzeichnis wird durchsucht:
   • %Laufwerk%\

Folgende Dateitypen werden in betracht gezogen:
   • .doc
   • .docx
   • .xls
   • .ppt
   • .jpg
   • .bmp
   • .3gp
   • .rm

Die Originaldatei wird anschlieend gelscht.



Es wird folgende Datei erstellt:

%Laufwerk%\autorun.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • [autorun]
     shellexecute=wscript.exe Thumbs.db.vbe




Es wird versucht folgende Datei auszufhren:

Dateiname:
   • %sysdir%\cmd.exe
unter Zuhilfenahme folgender Kommandozeilen-Parameter: shutdown -s -t 00 -f -m

 Registry Der folgende Registryschlssel wird hinzugefgt um den Prozess nach einem Neustart des Systems erneut zu starten.

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • CTFMon="%sysdir%\ctfmon.exe.vbe"



Folgende Registryschlssel werden hinzugefgt:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Advanced]
   • Hidden=dword:00000002

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmd.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\install.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedt32.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegistryEditor.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\setup.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\setup32.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG 7.5.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-CLN.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-RTP.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ANSAV.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\run.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgw.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free Edition.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free Edition Test Centre.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Avg Free Control Center.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vbren.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kaspersky.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kaspersky 6.0.2.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PC Tools.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVAST.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CAV.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McAfee.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McAfee VirusScan.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Symantec.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Norman.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities 2006.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities 2007.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Stars TuneUp Utilities.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Fix the BRONTOK.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NOD32.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\hijack.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navw32.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\griso.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\samdAV 3.3.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\samdAV 3.2.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\smadAV.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\
   Avira Antivir PersonalEdition Classic.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AntiVir.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Avira.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procmon.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DiskCleaner.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegistryCleaner.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\StarUpManager.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp RescueCenter.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RescueCenter.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp RegistryEditor.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgcc.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPTray.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPDN_LU.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPC32.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TweakUI for Windows XP.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TweakUI.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSConfig CleanUp.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCleaner.exe]
   • Debugger="notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Itegrator.exe]
   • Debugger="notepad.exe"



Folgende Registryschlssel werden gendert:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Neuer Wert:
   • NoDriveTypeAutoRun=dword:00000000
   • NoFind=dword:00000001
   • NoFolderOptions=dword:00000001
   • NoRun=dword:00000001
   • NoViewContextMenu=dword:00000001

[HKCR\VBEFile\DefaultIcon]
   Neuer Wert:
   • (Default)=shell32.dll,-50

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Alter Wert:
   • Hidden= %Einstellungen des Benutzers%
     HideFileExt= %Einstellungen des Benutzers%
     SuperHidden= %Einstellungen des Benutzers%
   Neuer Wert:
   • Hidden=dword:00000000
     HideFileExt=dword:00000001
     SuperHidden=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Alter Wert:
   • DisableRegistryTools= %Einstellungen des Benutzers%
     DisableTaskMgr= %Einstellungen des Benutzers%
   Neuer Wert:
   • DisableRegistryTools=dword:00000001
     DisableTaskMgr=dword:00000001

 Datei Einzelheiten Programmiersprache:
Das Malware-Programm wurde in Visual Basic geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Gre der Datei zu reduzieren wurde sie mit einem Laufzeitpacker gepackt.

Die Beschreibung wurde erstellt von Monica Ghitun am Freitag, 9. November 2007
Die Beschreibung wurde geändert von Monica Ghitun am Freitag, 9. November 2007

zurück . . . .