Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:Worm/Traxgy.B
Date discovered:30/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:No
File size:57.344 Bytes
IVDF version:6.31.01.196 - Tuesday, August 30, 2005

 General Methods of propagation:
   • Email
   • Local network
   • Mapped network drives


Aliases:
   •  Kaspersky: Email-Worm.Win32.Rays
   •  F-Secure: Email-Worm.Win32.Rays
   •  Sophos: W32/Traxg-B
   •  Panda: W32/Vinet.A.worm
   •  Grisoft: I-Worm/Rays.E
   •  Bitdefender: Win32.Rays.H@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • A:\Explorer.EXE
   • A:\WINDOWS.EXE
   • %drive%:\WINDOWS.EXE
   • %drive%:\ghost.bat
   • %all directories%\%current directory name%.exe



It drops a copy of itself using a filename from a list:
– To: %WINDIR%\\system\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\fonts\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\\temp\ Using one of the following names:
   • %hex number%.com

– To: %WINDIR%\help\ Using one of the following names:
   • \%hex number%.com




The following files are created:

– Non malicious file:
   • %all directories%\desktop.ini

– A:\NetHood.htm Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

%drive%:\NetHood.htm Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

%all directories%\folder.htt Further investigation pointed out that this file is malware, too. Detected as: VBS/Zapchast.B

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • TempCom = %WINDIR%\\system\%hex number%.com
   • TempCom = %WINDIR%\fonts\%hex number%.com
   • TempCom = %WINDIR%\\temp\%hex number%.com
   • TempCom = %WINDIR%\help\%hex number%.com



The value of the following registry key is removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • KaV300XP



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • fullpath = %user defined settings%
   New value:
   • fullpath = dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • HideFileExt = %user defined settings%
   • Hidden = %user defined settings%
   New value:
   • HideFileExt = dword:00000001
   • Hidden = dword:00000000

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The following:
   • %chinese text%



Body:
The body of the email is the following:
   • %chinese text% Document.exe %chinese text%


Attachment:
The filename of the attachment is:
   • Document.exe

The attachment is a copy of the malware itself.



The email looks like the following:


 File details Programming language:
The malware program was written in Visual Basic.

Die Beschreibung wurde erstellt von Andrei Gherman am Freitag, 21. September 2007
Die Beschreibung wurde geändert von Andrei Gherman am Freitag, 21. September 2007

zurück . . . .