Vollständige Virenbeschreibung

Nume:	Worm/Merond.O
Descoperit pe data de:	22/02/2010
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut spre mediu
Potential de raspandire:	Scazut spre mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	251.904 Bytes
MD5:	30798de49cea5c4a60998f60447e8576
Versiune IVDF:	7.10.04.122 - Montag, 22. Februar 2010

General Metoda de raspandire:
   • Email

Alias:
   • Panda: W32/Sinowal.WUH
   • Eset: Win32/Merond.O
   • Bitdefender: Worm.Generic.83963

Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\jushed.exe
   • %SYSDIR%\sdra64.exe

Sunt create fisierele:

– %SYSDIR%\lowsec\user.ds
– %SYSDIR%\lowsec\local.ds
– %SYSDIR%\javaz.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Dropper.Gen

– %SYSDIR%\lowsec\user.ds.lll

Incearca se execute urmatorul fisier:

– Numele fisierului:
   • "%SYSDIR%\javaz.exe"

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched12"="%SYSDIR%\jushed.exe"

Valorile urmatoarei chei sunt sterse din registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • AVG8_TRAY
   • AVP
   • BDAgent
   • CAVRID
   • DrWebScheduler
   • F-PROT Antivirus Tray application
   • ISTray
   • K7SystemTray
   • K7TSStart
   • McENUI
   • MskAgentexe
   • OfficeScanNT Monitor
   • RavTask
   • SBAMTray
   • SCANINICIO
   • SpIDerMail
   • Spam Blocker for Outlook Express
   • SpamBlocker
   • Windows Defender
   • avast!
   • cctray
   • egui
   • sbamui

Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\jushed.exe"="%SYSDIR%\jushed.exe:*:Enabled:Explorer"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main]
   • "Start Page"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "stinkinsun"="04"
   • "trashjava"="22"

– [HKEY_USERS\.DEFAULT\software\microsoft\windows\currentversion\
   explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
   • "{3039636B-5F3D-6C64-6675-696870667265}"=hex:F7,09,F2,0D
   • "{33373039-3132-3864-6B30-303233343434}"=hex:47,09,F2,0D

Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   Noua valoare:
   • "WMAFile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   Noua valoare:
   • "avifile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   Noua valoare:
   • "mpegfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   Noua valoare:
   • "mpegfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   Noua valoare:
   • "AIFFFile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   Noua valoare:
   • "midfile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   Noua valoare:
   • "CompressedFolder"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   Noua valoare:
   • "wrifile"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   Noua valoare:
   • "emffile"=""

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   Noua valoare:
   • "ParseAutoexec"="1"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\sdra64.exe,"

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.
Expeditorul email-ului este unul din urmatorii:
   • invitations@hi5.com
   • invitations@twitter.com

Catre:
– Adrese de email gasite pe sistem.

Subiect:
Unul din urmatoarele:
   • Jessica would like to be your friend on hi5!
   • Your friend invited you to twitter!

Corpul email-ului:
– Contine cod HTML.

Atasament:
Numele fisierului atasat este urmatorul:
   • Invitation Card.zip

Atasamentul este o arhiva ce contine chiar o copie malware.

Injectarea codului malware in alte procese – Injecteaza fisierul urmator intr-un proces: javaz.exe

    Numele procesului:
   • winlogon.exe

– Injecteaza fisierul urmator intr-un proces: winlogon.exe

    Numele procesului:
   • svchost.exe

– Injecteaza fisierul urmator intr-un proces: svchost.exe

Este injectat in toate procesele.

Alte informatii Cauta o conexiune Internet, contactand urmatorul website:
• http://whatismyip.com/automation/n09230945.asp

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Petre Galan am Donnerstag, 22. April 2010
Die Beschreibung wurde geändert von Petre Galan am Donnerstag, 22. April 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools