Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Minusia.A
Descoperit pe data de:22/03/2006
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Mediu spre ridicat
Potential de distrugere:Scazut
Fisier static:Nu
Versiune VDF:6.34.00.83

 General Metode de raspandire:
   • Email
   • Reteaua locala


Alias:
   •  Symantec: W32.Renama.A@mm
   •  Kaspersky: Email-Worm.Win32.Minusi.a
   •  Sophos: W32/Minusia-A
   •  Bitdefender: Win32.Minusia.A


Sistem de operare:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere
   • Modificari in registri
   • Profita de vulnerabilitatile softului


Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:





   If in victim machine, in %WINDIR%\ exists a file with the following name, muhammad_is_my_prophet.txt, the worm would not infect the machine.
   

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\svchost.exe
   • %WINDIR%\safemode.exe
   • %SYSDIR%\ERSvc.exe
   • %WINDIR%\mmsg\mcAfee.Update.exe.exe
   • %WINDIR%\Config\Easy.Windows.Monitoring.exe.exe
   • %WINDIR%\Config\system.update.exe.exe
   • %WINDIR%\mmsg\mmsg\mmsg.exe.exe
   • %radacina partitiei Windows%\listname_of_terrorist.exe



Sunt create fisierele:

%WINDIR%\system_log.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • MUHAMMAD ADALAH MANUSIA .............!!!!!!
     MUHAMMAD BUKAN MALAIKAT, DEWA, ATAU BAHKAN TUHAN...!!!!!
     TAPI DIA ADALAH PANUTAN SETIAP UMMAT MANUSIA, KARENA DIA ADALAH NABIULLAH..!!!
     KAMI MENGHORMATI MUHAMMAD SEBAGAI NABI DAN PEMIMPIN KARENA TINDAKANNYA YANG 99% BENAR
     BUKAN SEBAGAI DEWA, MALAIKAT ATAU BAHKAN TUHAN....!!!!
     SEBAGAIMANA KAMI MENGHORMATI NABI ISA DAN NABI-NABI LAIN
     KENAPA...????
     KARENA MEREKA ADALAH MANUSIA JUGA
     JADI MOHON JANGAN MENCARI-CARI KESALAHAN DAN KENISTAANNYA
     YANG MUHAMMAD BERISTRI BANYAKLAH, MENGEKANG WANITA-LAH DAN LAIN-LAIN
     PAKAILAH LOGIKA, NISCAYA AKAN DAPAT KEBENARANNYA
     .......................................................
     JADI, MOHON JANGAN HINA NABI-NABI KAMI...!!!
     KARENA MAREKA ADALAH NABI-NABI KALIAN JUGA..!!!!
     _________________________________________________________________________________________
     
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     
     IF YOU DON'T UNDERSTAND, PLEASE TRANSLATE IN YOU LANGUAGE

%WINDIR%\Registry1.dll Acesta este un fisier curat, care contine informatii despre programul in sine.
%WINDIR%\Registry1.dll Acesta este un fisier curat, care contine informatii despre programul in sine.

 Registrii sistemului Urmatoarea cheie este adaugata in registri, in mod repetat, pentru a porni procesul dupa reboot.

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mcAfee.Instan.Update"="%WINDIR%\mmsg\mcAfee.Update.exe.exe"
   • "KasperskiLab"="%WINDIR%\Config\Easy.Windows.Monitoring.exe.exe"
   • "MsnMsgr"="%PROGRAM FILES%\MSN Messenger\MsnMsgr.Exe .exe
   • "MSMSGS"="%PROGRAM FILES%\Messenger\msmsgs.exe .exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HotKeysCmds"="%WINDIR%\Config.system.update.exe.exe"



Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:

[HKLM\SYSTEM\ControlSet001\Services\srservice]
   • "Type"=dword:00000020
     "Start"=dword:00000002
     "ErrorControl"=dword:00000001
     "ImagePath"=%SYSDIR%\svchost.exe
     "DisplayName"="System Restore Service"
     "DependOnService"=RpcSs
     "DependOnGroup"=%valori hex%
     "ObjectName"="LocalSystem"
     "Description"="Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties"

[HKLM\SYSTEM\ControlSet001\Services\srservice\Parameters]
   • "ServiceDll"=%SYSDIR%\srsvc.dll

[HKLM\SYSTEM\ControlSet001\Services\srservice\Security]
   • "Security"=%valori hex%

[HKLM\SYSTEM\ControlSet001\Services\srservice\Enum]
   • "0"="Root\\LEGACY_SRSERVICE\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Services\ERSvc]
   • "DependOnService"=RpcSs
     "Description"="Allows error reporting for services and applictions running in non-standard environments."
     "DisplayName"="Error Reporting Service"
     "ErrorControl"=dword:00000000
     "ImagePath"=%SYSDIR%\ERSvc.exe
     "ObjectName"="LocalSystem"
     "Start"=dword:00000002
     "Type"=dword:00000020

[HKLM\SYSTEM\ControlSet001\Services\ERSvc\Parameters]
   • %SystemRoot%\System32\ersvc.dll

[HKLM\SYSTEM\ControlSet001\Services\ERSvc\Security]
   • "Security"=%valori hex%

[HKLM\SYSTEM\ControlSet001\Services\ERSvc\Enum]
   • "0"="Root\\LEGACY_ERSVC\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



Se adauga in registrii sistemului:

[HKCU\Identities\%CLSID%\Software\Microsoft\Outlook Express\
   5.0\Mail]
   • "Warn on Mapi Send"=dword:00000000



Urmatoarele chei din registri sunt modificate:

[HKCU\Software\Policies\Microsoft\Windows\System]
   Noua valoare:
   • "DisableCMD"=dword:00000001

Dezactivarea programelor Regedit si Task Manager:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

 Email Foloseste Messaging Application Programming Interface (MAPI) pentru a trimite email-uri. Iata caracteristicile lui:


Subiect:
Unul din urmatoarele:
   • %combinatie de caractere aleatoare%,your name is listed in terrorism organisation..!!!
   • %combinatie de caractere aleatoare%,this file from me,%combinatie de caractere aleatoare%,
   • %combinatie de caractere aleatoare%,Namamu termasuk dalam daftar terrorist..!!



Corpul email-ului:
–  Uneori poate contine caractere aleatoare.
Corpul email-ului este unul din textele:

   • This attachment contain listname of terrorist..!!!
     hope you can be carrefull if you find one of them..!!!!
     or you can reply this email to me after you read the attachment
     thank's...!!!
     

   • jika anda nggak percaya atau kurang yakin, coba baca list attachment ini..!!!
     ini sangat urgent..!!!!
     saya harap dengan begini kita nggak ada salah paham
     thank's...!!!

   • if you are not sure, please read attachment bellow, and please reply to me..!!!
     this message is very urgent..!!!!
     hope we don't have miss understanding
     thank's...!!!


Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • %combinatie de caractere aleatoare%.zip
   • %combinatie de caractere aleatoare%.exe
   • listname_of_terrorist.exe

Atasamentul este o copie malware.

Atasamentul este o arhiva ce contine chiar o copie malware.

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Generarea adreselor IP:
Creeaza adrese IP aleatoare, pastrand doar primii doi octeti din propria adresa. Apoi incearca sa contacteze adresele create.

 Terminarea proceselor Lista cu procesele oprite:
   • cmd.exe; mmc.exe; msconfig.exe; MIRC.EXE; MIRC.exe; mirc.exe;
      EXCEL.EXE; EXCEL.exe; excel.exe; WINWORD.EXE; WINWORD.exe; winword.exe


 Detaliile fisierului Data compilarii:
Data: 28/02/2006
Ora: 13:51:45

Description inserted by Andrei Ivanes on Wednesday, March 22, 2006
Description updated by Andrei Ivanes on Friday, September 21, 2007

Back . . . .