Worm/Tanked.A - Worm

Siehe auch

Vollständig

Alias:	Worm.P2P.Tanked.a
Type:	Worm
Size:	250,500 bytes
Origin:	unknown
Date:	03-20-2003
Damage:
VDF Version:	6.18.00.19
Danger:	Low
Distribution:	Low

General DescriptionWorm/Tanked.A is spreading over P2P file sharing program KaZaA. When the user opens an infected file, the worm copies itself in Windows as "Net_32.exe" file. It makes more copies of itself in the CACHE32 folder. It makes registry entries, in order to be downloaded by other users of the KaZaA program on Internet, when they open these files.

SymptomsThe files and registry entries mentioned below.

DistributionP2P file sharing programs as KaZaA, Morpheus, Edonkey2000.

Technical DetailsWhen activated, Worm/Tanked.A copies itself as:

\%WinDir%\%SystemDir%\net_32.exe (250.500 Bytes, hidden)

and then it makes more copies of itself with different .EXE file names and sizes in \%WinDir%\Cache32\:

* ACDSee 5.5.exe
* Ad-aware 6.5.exe
* Age of Empires 2 crack.exe
* Animated Screen 7.0b.exe
* Anno 1503_crack.exe
* AOL Instant Messenger.exe
* AquaNox2 Crack.exe
* Audiograbber 2.05.exe
* BabeFest 2003 ScreenSaver 1.5.exe
* Babylon 3.50b reg_crack.exe
* Battlefield1942_bloodpatch.exe
* Battlefield1942_keygen.exe
* Business Card Designer Plus 7.9.exe
* C&C Generals_crack.exe
* C&C Renegade_crack.exe
* Clone CD 5.0.0.3 (crack).exe
* DirectX InfoTool.exe
* DivX Video Bundle 6.5.exe
* Download Accelerator Plus 6.1.exe
* DVD Copy Plus v5.0.exe
* DVD Region-Free 2.3.exe
* FIFA2003 crack.exe
* Final Fantasy VII XP Patch 1.5.exe
* Flash MX crack (trial).exe
* FlashGet 1.5.exe
* FreeRAM XP Pro 1.9.exe
* x.txt
* Hitman_2_no_cd_crack.exe
* Hot Babes XXX Screen Saver.exe
* ICQ Lite (new).exe
* ICQ Pro 2003a.exe
* ICQ Pro 2003b (new beta).exe
* iMesh 3.6.exe
* iMesh 3.7b (beta).exe
* IrfanView 4.5.exe
* KaZaA Hack 2.5.0.exe
* KaZaA Lite (New).exe
* Clone CD 5.0.0.3.exe
* Coffee Cup Free HTML 7.0b.exe
* Cool Edit Pro v2.55.exe
* Diablo 2 Crack.exe
* DirectDVD 5.0.exe
* DirectX Buster (all versions).exe
* mIRC 6.40.exe
* mp3Trim PRO 2.5.exe
* MSN Messenger 5.2.exe
* NBA2003_crack.exe
* Need 4 Speed crack.exe
* Nero Burning ROM crack.exe
* Netfast 1.8.exe
* Network Cable e ADSL Speed 2.0.5.exe
* Neverwinter_Nights_licence.exe
* NHL 2003 crack.exe
* GetRight 5.0a.exe
* Global DiVX Player 3.0.exe
* Gothic 2 licence.exe
* GTA 3 Crack.exe
* GTA 3 patch (no cd).exe
* Guitar Chords Library 5.5.exe
* SmartFTP 2.0.0.exe
* SmartRipper v2.7.exe
* Space Invaders 1978.exe
* Splinter_Cell_Crack.exe
* Steinberg_WaveLab_5_crack.exe
* Trillian 0.85 (free).exe
* TweakAll 3.8.exe
* Unreal2_bloodpatch.exe
* Unreal2_crack.exe
* UT2003_bloodpatch.exe
* KaZaA Speedup 3.6.exe
* Links 2003 Golf game (crack).exe
* Living Waterfalls 1.3.exe
* Mafia_crack.exe
* Matrix Screensaver 1.5.exe
* MediaPlayer Update.exe
* UT2003_keygen.exe
* UT2003_no cd (crack).exe
* UT2003_patch.exe
* WarCraft_3_crack.exe
* Winamp 3.8.exe
* WindowBlinds 4.0.exe
* WinOnCD 4 PE_crack.exe
* WinZip 9.0b.exe
* Yahoo Messenger 6.0.exe
* Zelda Classic 2.00.exe
* Nimo CodecPack (new) 8.0.exe
* PalTalk 5.01b.exe
* Popup Defender 6.5.exe
* Pop-Up Stopper 3.5.exe
* QuickTime_Pro_Crack.exe
* Serials 2003 v.8.0 Full.exe

These files have different sizes.

The virus code has a 250,500 bytes size. For camouflage, the worm "fills" the end of the shared files with the required number of blanks. In this way, the worm can have any file size, for exp 1,471,500 bytes.This brings the advantage that no specific size could be attributed to the worm.

Worm/Tanked.A makes the following registry entry, in order for its files to be able to download over P2P program KaZaA and to infect other systems:

[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
"Dir1"="012345:C:\\WINDOWS\\Cache32"

As a precaution, the user should scan for viruses all downloaded files and applications.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following file:

* net_32.exe

Start "regedit" after that and edit the following registry entries:

[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
"Dir1"="012345:C:\\WINDOWS\\Cache32"

Restart your computer.

- for Windows 9x/ME:

In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* net_32.exe

Start "regedit" after that and edit the following registry entries:

[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
"Dir1"="012345:C:\\WINDOWS\\Cache32"

Restart your computer.

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück