Nume:Worm/Irc.937984.A.1
Descoperit pe data de:16/04/2008
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu spre ridicat
Fisier static:Da
Marime:937.984 Bytes
MD5:0fdbc5a72182e58ea1211c2d5c57ca77
Versiune IVDF:7.00.03.175 - Mittwoch, 16. April 2008

 General Metoda de raspandire:
   • Reteaua locala


Alias:
   •  Mcafee: W32/Sdbot.worm virus
   •  Sophos: W32/Rbot-GVM
   •  Panda: W32/IRCbot.BLI.worm
   •  Eset: Win32/Rbot
   •  Bitdefender: Trojan.Generic.2268503


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\svehost.exe



Sterge copia initiala a virusului.



Sunt create fisierele:

– %SYSDIR%\drivers\npf.sys
– %SYSDIR%\packet.dll
– %SYSDIR%\wpcap.dll

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Updates"="svehost.exe"



Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Updates"="svehost.exe"



Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\NPF]
   • "DisplayName"="Netgroup Packet Filter"
   • "ErrorControl"=dword:0x00000001
   • "ImagePath"="system32\drivers\npf.sys"
   • "Start"=dword:0x00000003
   • "Type"=dword:0x00000001



Se adauga in registrii sistemului:

– [HKCU\Software\Microsoft\OLE]
   • "Microsoft Updates"="svehost.exe"



Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Noua valoare:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Noua valoare:
   • "restrictanonymous"=dword:0x00000001

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

– Lista de utilizatori:
   • Zytowski; Zwiers; Zurn; Zucconi; Zoldak; Zerbini; Zegans; Zangwill;
      Zahedi; Zachary; Yu; Youk-See; Yoo; Yoffe; Yetiv; Yesson; Yedidia;
      Ybarra; Yates; Yarchuk; Yankee; Yamane; Yacono; Votey; Vorhaus;
      Woods-Powell; Woods; Wooden; Woo; VonHoffman; Wolk; Voigt; Viviani;
      Vitali; Wilson; Willstatter; Villarreal; Wilkinson; Wilkin; Wilk;
      Wilhelm; Wilder; Vignola; Viens; Wiener; Wiedersheim; Viano; Viana;
      Whittaker; Whitla; White; Whilton; Whately; Wetzel; Wescott; Verghese;
      Venne; Wengret; Welsh; Welles; Velasquez; Weissman; Weissbourd;
      Weinhaus; Weingarten; Weighart; Waugh; Vasquez; Wasowska; Warshafsky;
      Vanheeckeren; Vandenberg; VanZwet; vanAllen; Walter; Wallenberg;
      Wales; Valencia; Valberg; Waite; Vacca; Uzuner; Usdan; Urdang-Brown;
      Urban; Upsdell; Untermeyer; Ullman; Tzamarias; Twells; Tuttle; Turek;
      Turano; Tukan; Tudge; Tuck; Tsukurov; Tsomides; Tsiatis; Truss; Troy;
      Troiani; Tringali; Trewin; Trenga; Traebert; Toye; Towler; Torske;
      Torresi; Topulos; Toomer; Tomford; Tolman; Tolls; Tollestrup;
      Tofallis; Timmons; Till; Tierney; Throop; Thomsen; Thisted; Thibault;
      Theodos; Thavaneswaran; Than; Terracini; Tenney; Temmer; Temes;
      Teague; Tcherepnin; Tawn; Taveras; Tatar; Tanowitz; Tandler; Tambiah;
      Talaugon; Tai; Tagiuri; Swindle; Sweetser; Sweeting; Surdam; Suo;
      Sumner; Sullivan; Stringer; Streiff; Strauch; Strange; Stott; Storer;
      Stonich; Stolzenberg; Stockwell; Stockton; Stock; Stillwell; Stiepock;
      Stewart-Oaten; Stepniewska; Stephanian; Steiner; Stefani; Statlender;
      States; Stassinopolus; Stang; Stam; Stalvey; StMartin; Spinrad;
      Spiliotis; Spiegelhalter; Spicer; Sperber; Spence; Speizer; Spaulding;
      Sparrow; Spanier; Soultanian; Soule; Soukup; Sottak; Sorg; Sorabella;
      Sommariva; Somers; Solon; Socolow; Snodgrass; Sniffen; Smilow; Slowe;
      Sloan; Skoda; Skerry; Skane; Sites; Sirilli; Sinsabaugh; Silvetti;
      Silverman; Signa; Sigini; Sigalot; Siesto; Shimon; Shibata; Shia;
      Shesko; Shepstone; Sheppard; Shepherd; Sheats; Shea; Shavelson;
      Shatrov; Shar; Shanley; Shankland; Shakis; Shaikh; Seyfert; Sexton;
      Seterdahl; Sennett; Sen; Selvage; Sekler; Segal; Seeber; Seaton;
      Scudder; Scovel; Schwickrath; Schwan; Schuyler; Schutte; Schuman;
      Schossberger; Schmitt; Schilling; Schifini; Schiano; Scheiner;
      Scharlemann; Scharf; Scepan; Scarponi; Sayied; Sawtell; Satterthwaite;
      Satta; Satin; Sase; Sartore; Sarin; Sapers; Sanna; Sanchez-Ramirez;
      Samson; Sali; Sahu; Safire; Sadler; Sabatello; Ryu; Rush; Ruescher;
      Ruderman; Ruan; Ru; Royal; Row; Ronen; Rogers; Roesler; Rocha;
      Robinson; Rivera; Rish; Rineer; Rindos; Rielly; Richmond; Rhea;
      Resnik; Repetto; Renick; Remak; Reinold; Cunningham; Reedquist;
      Redden-Tyler; Rayport; Rapple; Rankin; Rangan; Raney; Rajagopalan;
      Radeke; Rabkin; Rabe; Quetin; Quaday; Pynchon; Pugh; Puccia;
      Prothrow-Stith; Proietti; Pritz; Pritchard; Prevost; Preucel; Presper;
      Powers; Poolman; Poma; Politis; Polanyi; Polak; Poirier; Pointer;
      Poincaire; Pocobene; Po; Plous; Plasket; Plant; Plancon; Pinot;
      Pilbeam; Pfister; Pettit; Pettibone; Petruzello; Peters; Perrimon;
      Perone; Perna; Perlman; Perlak; Perko; Pereira; Penny; Peishel;
      Pederson; Pearlberg; Peabody; Paynter; Pawloski; Pavlon; Pavetti;
      Pattullo; Patrick; Patefield; Pascucci; Partridge; Parris;
      Parmeggiani; Paoletti; Pantilla; Panizzon; Panadero; Palmitesta;
      Pallara; Palepu; Palayoor; Paine; PaesDealmeida; Ovid; Ouchida; Otten;
      Ottaviani; Ostrowski; Ospina; Orsi; Orfield; Oray; Opel; O'meara;
      Oman; O'malley; Olszewski; Olson; Olsen; Oldford; O'hagan; Oh; Ogata;
      Ocougne; Nuzum; Notman; Nitabach; Nisenson; Nickoloff; Nickerson; Ni;
      Ng; Newlin; Newfeld; Neuman; Nesci; Nenna; Nelson; Nayduch; Naviaux;
      Nardone; Nardi; Napolitano; Naddeo; Mussachio; Mumford; Mulroy;
      Mulkern; Mugnai; Muello; Mudarri; Motooka; Mostafavi; Mosler; Mosher;
      Mortimer; Morrow; Morrison; Moreton; Morani; MooreDeCh.; Montilio;
      Monque; Moiamedi; Mohr; Moeller; Modestino; Mocroft; Mittal;
      Mitropoulos; Gonzalez; Minichiello; Mini; Minh; Mills; Mieher; Middle;
      Michelman; Meurer; Metropolis; Metelka; Merz; Merseth; Merminod;
      Merlani; Merikoski; Menzies; Memisoglu; Meccariello; Mcnulty; Mcnealy;
      Mclaren; Mclane; Mckenna; Mcintosh; McIlroy; Mcgoldrick; Mcghee;
      McFadden; Mcelroy; Mcdowell; Mcclearn; Mccall; Mccaffery; Mcbride;
      Mazziotta; Mazzali; May; Mauzy; Mattson; Matsukata; Matarazzo;
      Matalka; Mass; Marubini; Marton; Martochio; Martinez; Marques;
      Margetts; Margalit; Marcus; Marchbanks; March; Mantovan; Manganiello;
      Mandel; Manalis; Malova; Maller; Malatesta; Maisano; Maine-Hershey;
      Maier; Mahony; Maggio; Madigan; Macy; MacMillan; Mackenney; Macintyre;
      Maceachern; Macdonald; Maccormac; Ma; Luzader; Lutcavage; Lussier;
      Luoma; Lunetta; Luecke; Luczkow; Luciano; Lucas; Lubin; Loza;
      Lowenstein; Loveman; Loss; Longworth; Locatelli; Lizardo; Livolsi;
      Livi; Livernash; Litvak; Little; Lipponen; Lippmann; Linzee; Linehan;
      Line; Linder; Linda; Linares; Lim; Lightfoot; Light; Liem; Lidano;
      Liakos; Lessi; Lesser; l'Enclos; Lenard; Leite; Leclercq; Lecce;
      Lecar; Lawless; Lashley; Laserna; Lanzit; Lantieri; Lankes; Landes;
      Lallemant; Laing; Lafler; Labunka; La; Kuwabara; Kusman; Kumar;
      Kuenzli; Krysiak; Kroemer; Kraus; Krasney; Krailo; Kraemer; Kovaks;
      Kotter; Korzybski; Kool; Konrad; Koniaris; Kommer; Koivumaki; Kohn;
      Koch; Kobrick; Knuff; Klint; Klinkenborg; Kling; Klemperer;
      Kleinfelder; Kleiman; Kleckner; Kittridge; Kirscht; Kippenberger;
      Kinsley; Kindall; Kimura; Kimmett; Kimmel; Khong; Keul; Kerry;
      Kendall; Kemsley; Kempton; Kelsey; Kelker; Keith; Keepper; Keenan;
      Kee; Kawachi; Kasten; Kassower; Karpouzes; Kangis; Kamel; Kalman;
      Kalinowski; Kalil; Kaligian; Kalbfleisch; Kafadar; Kaboolian; Kabbash;
      Julious; Juliano; Jucks; Jorgensen; Jolly; Johns; Johannsen;
      Johannesson; Jewett; Jespersen; Jenkins; Jellis; Jeffers; Jay;
      Jarrell; Jarnagin; Janjigian; Jamil; Jain; Jagoe; Jagger; Jagers;
      Jackson; Jacenko; Iyer; Isserman; Isbill; Isaievych; Isaac; Inniss;
      Inamura; Igarashi; Ichikawa; Iaquinta; Hyde; Hutchings; Hurtubise;
      Hupp; Huntington; Hungerford; Huidekoper; Huey; Hoy; Howard; Hottle;
      Hostage; Hoshida; Horsley; Hopkins; Hooker; Holzman; Holway; Holter;
      Holoien; Holmes; Hokoda; Hokanson; Hoffman; Hoffer; Hock; Hoang;
      Hitchcock; Hirst; Hind; Himmelfarb; Heyeck; Heubert; Hester; Herrera;
      Hernandez; Henrichs; Henery; Hemphill; Helprin; Hellmiss; Hellman;
      Heiland; Heft; Heermans; Hazlewood; Haynes; Hayes; Hawkes; Haviaras;
      Harwell; Hartnett; Hartmann; Hartman; Harrigan; Harlow; Hargraves;
      Harding; Hanssen; Hand; Hammerness; Hamer; Hambarzumjan; Halpert;
      Hallowell; Halkias; Haley; Hackshaw; Hackman; Haar; Ha; Guo; Gunn;
      Guenthart; Gruppe; Gruner; Grummell; Grigoletto; Griffiths; Greenfeld;
      Greenberg; Gravell; Gozzi; Goody; Goodearl; Good; Goncalves; Goldfarb;
      Glendon; Glegg; Gleason; Gist; Gillispie; Gill; Gili; Gilbert; Gibson;
      Gibbens; Ghorai; Gerrett; Georgi; Gemberling; Geller; Garonna; Garman;
      Garfield; Gambini; Galwey; Galeotti; Gaggiotti; Gabrielli; Fusaro;
      Furth; Fuller; Fujii-Abe; Frye; Fryberger; Frowiss; Frisken;
      Friedland; Fried; Freundlich; Freid; Frazier-Davis; Franz;
      Franklin-Kenea; Francisco; Fossi; Fossey; Fortier; Fortes; Forester;
      Folks; Flores; Flier; Fitzmaurice; Fisk; Fiorina; Finnegan;
      Finkelstein; Fink; Field; Fido; Feuer; Ferriell; Ferrante; Fernandes;
      Fernald; Feldman; Fejzo; Feigenbaum; Fates; Fasso'; Farren; Farone;
      Faris; Falorsi; Falco-Acosta; Faioes; Fagan; Fabbris; Everett;
      Euripides; Etter; Estes; Espinoza; Erez; Erdos; Erdman; Erbach;
      Eppling; Enyeart; Encinas; Elvis; Elmerick; Elmendorf; Eliasson;
      Eickenhorst; Edward; Edner; Edley; Eckel; Ebeling; Eardley; Dwyer;
      Dussault; Durrett; Duffin; D'souza; Drinker; Dowsland; Doug; Doty;
      Dosi; Dorf; Dore; Doonan; Donner; Donahue; Doherty; Dockery; Dirksen;
      Dionysius; Dilworth; Difronzo; Difabio; Diefenbach; Dicks; D'fini;
      Deutsch; Desombre; Denison; Denham; Denault; Demusz; Dempster; Deming;
      Dell'acqua; Delger; Deleon-Rendon; Delattre; Defeciani; Dees; Debroff;
      deRousse; del'Enclos; DeLaPena; DeGennaro; Dawkins; David; Daskalu;
      Dasgupta; Das; D'arcangelo; Dapice; Dante; Danieli; D'Ambra; Daly;
      Daldalian; daSilva; Cyders; Cvek; Cutler; Currier; Cui; Croxton;
      Croxen; Croshaw; Crocker; Crawford; Coutaux; Counter; Cosmides;
      Cornish; Corey; Connors; Condodina; Concino; Comstock; Compton;
      Collis; Collard; Colella; Coldren; Coito; Coblenz; Clow; Clifton;
      Clement; Clark; Clancy; Claffey; Cifarelli; Cicero; Ciampaglia;
      Church; Chupasko; Chu; Christopher; Christie; Christiano; Christian;
      Christenson; Chinman; Chinipardaz; Childs; Childress; Chien;
      Chiassino; Chervinsky; Cherry; Cheang; Charles; Chapman; Cerioli;
      Ceniceros; Cavell; Cavanagh; Castelda; Caspar; Case; Cascio; Cartmill;
      Carper; Caroti; Carmichael; Carlyle; Carlos; Carlin; Carayannopoulos;
      Caratozzolo; Capursi; Cappuccio; Capodilupo; Capocaccia; Caperton;
      Capanni; Canley; Cammilleri; Cammelli; Calnan; Cage; Byrd; Byerly;
      Byatt; Busetta; Burridge; Burke; Burdzy; Burden; Bunton; Bullard;
      Budding; Buchan; Brzycki; Brook; Broca; Britz; Brinton; Bridges;
      Bridgeman; Brewer; Brennan; Brenan; Breed; Brecht; Bradach; Bradac;
      Bracalente; Boyne; Boym; Boyland; Boyes; Boyajian; Boxer; Bowers;
      Bourneuf; Boudrot; Boudin; Botosh; Bothman; Bossi; Borden; Borack;
      Boorstin; Boone; Bookbinder; Book; Bontempo; Boniface; Bonham; Boner;
      Bologna; Bollinger; Bolick; Bolger; Blyth; Bloxham; Bloemhof;
      Bloembergen; Bloch; Blizard; Bliss; Blanke; Blakemore; Blagg;
      Blackwell; Blackbourn; Bisho; Bisema; Bir; Binion; Bickel; Biagioli;
      Beynart; Betti; Berrizbeitia; Bernston; Bernassola; Bernardo;
      Berke-Jenkins; Bergson; Benedict-Dye; Belloc; Bellini; Bellhouse;
      Bellavance; Belin-Collart; Belfer; Belaoussof; Belanger; Behenna;
      Bedford; Beder; Beckman; Bean; Beal; Beacon; Bayo; Bayles; Baumiller;
      Batchelder; Bashevis; Basavappa; Bartoo; Bartolome; Bartholomew;
      Barry; Barriola; Barnett; Barneson; Barbetti; Barberi; Baranowska;
      Baranczak; Barajas; Barabesi; Banta; Baltz; Ballew; Ballatori; Baleja;
      Bakanowsky; Bailar; Bagnold; Baglivo; Bady; Backus; Bachmuth; Azima;
      Ayling; Aykroyd; Ayiemba; Axworthy; Axelrod; Aurelius; Augustus;
      Atkins; Arky; Arjas; Aristotle; Arellano; Arduini; Arbia; Antos;
      Anthony; Ansley; Anfinrud; Andron; Andrelus; Ando; Andel; Anand;
      Amsden; Ameer; Amatangelo; Amaral; Altenhofen; Altenberger; Altavilla;
      Alongi; Allison; Aleks; Alda; Alcorn; Alavi; Ahlers; Adorno; Adibe;
      Adelstein; Addison; Adams; Ackerman; Abdulrazak

– Lista de parole:
   • intranet; lan; main; winpass; blank; office; control; xp; nokia; hp;
      siemens; compaq; dell; cisco; ibm; orainstall; sqlpassoainstall; sql;
      sa; db1234; db1; databasepassword; data; databasepass; dbpassword;
      dbpass; access; domainpassword; domainpass; domain; hello; hell; god;
      sex; slut; bitch; fuck; exchange; backup; technical; loginpass; mary;
      katie; kate; george; eric; chris; ian; neil; lee; brian; susan; sue;
      sam; luke; peter; john; mike; bill; fred; joe; jen; bob; qwe; zxc;
      asd; qaz; win2000; winnt; winxp; win2k; win98; windows; oeminstall;
      oemuser; oem; homeuser; home; accounting; accounts; internet; www;
      web; outlook; mail; qwerty; null; changeme; linux; unix; demo; none;
      test; 2004; 2003; 2002; 2001; 2000; 1234567890; 123456789; 12345678;
      1234567; 123456; 12345; 1234; 123; 12; 007; pwd; pass; pass1234;
      passwd; password1; adm; db2; oracle; dba; database; default; guest;
      wwwadmin; teacher; student; owner; computer; root; staff; admin;
      admins; administrat; administrateur; administrador; administrator



Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS01-059 (Unchecked Buffer in Universal Plug and Play)
– MS04-011 (LSASS Vulnerability)


Activare de la distanta:
–Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: mail.purpl**********.com
Port: 80
Canal: #test%numar%
Nick: USA|%numar%



– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Captura ecranului
    • Captura imagine de pe webcam
    • Spatiu liber pe disc
    • Memorie nealocata
    • Informatii despre procesele sistemului


– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • Lanseaza atacuri DDoS ICMP
    • Lanseaza atacuri DDoS SYN
    • Lanseaza atacuri DDoS TCP
    • Lanseaza atacuri DDoS UDP
    • descarcare fisier
    • executarea unui fisier
    • terminare proces
    • deschidere consola
    • Scaneaza reteaua
    • repornirea sistemului
    • trimitere email-uri
    • oprierea sistemului
    • Porneste keylog
    • Se actualizeaza singur

 Backdoor Deschide porturile:

– %SYSDIR%\svehost.exe pe portul TCP 80 pentru a functiona ca server HTTP.
– %SYSDIR%\svehost.exe pe portul TCP 21 pentru a oferi un server TFTP.

Trimte informatii despre:
    • Numele sistemului
    • Viteza procesorului
    • tipul procesorului
    • Utilizatorul curent
    • Tipul conexiunii la Internet
    • Adresa IP
    • adresa MAC
    • Timpul de cand malware-ul a fost lansat in executie
    • Director sistem
    • Ora sistemului
    • Utilizator
    • Directorul Windows
    • Informatii despre sistemul de operare


Posibilitati de control la distanta:
    • dezactivare DCOM
    • dezactivarea partajarii de resurse in retea
    • activare DCOM
    • activarea partajarii de resurse in retea

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Petre Galan am Dienstag, 24. November 2009
Die Beschreibung wurde geändert von Petre Galan am Dienstag, 24. November 2009

zurück . . . .