Full description

Nume:	Worm/RBot.100954
Descoperit pe data de:	15/11/2005
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	100.954 Bytes
MD5:	e031bf896dea28a3e0830Aa8eb85c032
Versiune VDF:	6.32.00.183

General Metoda de raspandire:
   • Reteaua locala

Alias:
   • Kaspersky: Backdoor.Win32.Rbot.adf
   • Sophos: W32/Rbot-BEZ
   • VirusBuster: virus Worm.Rbot.DEA
   • Bitdefender: Backdoor.RBot.CPZ

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Acceseaza discheta
   • Inchide aplicatiile de securitate
   • Descarca fisiere
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Inregistreaza intrarile de la tastatura
   • Modificari in registri
   • Profita de vulnerabilitatile softului
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarea locatie:
• %SYSDIR%\syshost.exe

Sterge copia initiala a virusului.

Registrii sistemului Urmatoarele chei sunt adaugate in registri, in mod repetat, pentru a asigura pornirea procesului dupa reboot.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Windows System"="syshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Windows System"="syshost.exe"

Se adauga in registrii sistemului:

– [HKCU\Software\Microsoft\OLE]
   • "Microsoft Windows System"="syshost.exe"

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Vechea valoare:
   • "EnableDCOM"=%setarile utilizatorului%
   Noua valoare:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Vechea valoare:
   • "restrictanonymous"=%setarile utilizatorului%
   Noua valoare:
   • "restrictanonymous"=dword:00000001

Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Creeaza copii malware in urmatoarele share-uri de retea:
   • IPC$
   • C$
   • C:\
   • D$
   • D:\
   • C$\windows\system32
   • c$\winnt\system32
   • ADMIN$\system32\
   • ADMIN$

Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

–Utilizatori si parole inregistrate.

– Lista de utilizatori:
   • Abdulrazak; Ackerman; Adams; Addison; Adelstein; Adibe; Adorno;
      Ahlers; Alavi; Alcorn; Alda; Aleks; Allison; Alongi; Altavilla;
      Altenberger; Altenhofen; Amaral; Amatangelo; Ameer; Amsden; Anand;
      Andel; Ando; Andrelus; Andron; Anfinrud; Ansley; Anthony; Antos;
      Arbia; Arduini; Arellano; Aristotle; Arjas; Arky; Atkins; Augustus;
      Aurelius; Axelrod; Axworthy; Ayiemba; Aykroyd; Ayling; Azima;
      Bachmuth; Backus; Bady; Baglivo; Bagnold; Bailar; Bakanowsky; Baleja;
      Ballatori; Ballew; Baltz; Banta; Barabesi; Barajas; Baranczak;
      Baranowska; Barberi; Barbetti; Barneson; Barnett; Barriola; Barry;
      Bartholomew; Bartolome; Bartoo; Basavappa; Bashevis; Batchelder;
      Baumiller; Bayles; Bayo; Beacon; Beal; Bean; Beckman; Beder; Bedford;
      Behenna; Belanger; Belaoussof; Belfer; Belin-Collart; Bellavance;
      Bellhouse; Bellini; Belloc; Benedict-Dye; Bergson; Berke-Jenkins;
      Bernardo; Bernassola; Bernston; Berrizbeitia; Betti; Beynart;
      Biagioli; Bickel; Binion; Bir; Bisema; Bisho; Blackbourn; Blackwell;
      Blagg; Blakemore; Blanke; Bliss; Blizard; Bloch; Bloembergen;
      Bloemhof; Bloxham; Blyth; Bolger; Bolick; Bollinger; Bologna; Boner;
      Bonham; Boniface; Bontempo; Book; Bookbinder; Boone; Boorstin; Borack;
      Borden; Bossi; Bothman; Botosh; Boudin; Boudrot; Bourneuf; Bowers;
      Boxer; Boyajian; Boyes; Boyland; Boym; Boyne; Bracalente; Bradac;
      Bradach; Brecht; Breed; Brenan; Brennan; Brewer; Bridgeman; Bridges;
      Brinton; Britz; Broca; Brook; Brzycki; Buchan; Budding; Bullard;
      Bunton; Burden; Burdzy; Burke; Burridge; Busetta; Byatt; Byerly; Byrd;
      Cage; Calnan; Cammelli; Cammilleri; Canley; Capanni; Caperton;
      Capocaccia; Capodilupo; Cappuccio; Capursi; Caratozzolo;
      Carayannopoulos; Carlin; Carlos; Carlyle; Carmichael; Caroti; Carper;
      Cartmill; Cascio; Case; Caspar; Castelda; Cavanagh; Cavell; Ceniceros;
      Cerioli; Chapman; Charles; Cheang; Cherry; Chervinsky; Chiassino;
      Chien; Childress; Childs; Chinipardaz; Chinman; Christenson;
      Christian; Christiano; Christie; Christopher; Chu; Chupasko; Church;
      Ciampaglia; Cicero; Cifarelli; Claffey; Clancy; Clark; Clement;
      Clifton; Clow; Coblenz; Coito; Coldren; Colella; Collard; Collis;
      Compton; Comstock; Concino; Condodina; Connors; Corey; Cornish;
      Cosmides; Counter; Coutaux; Crawford; Crocker; Croshaw; Croxen;
      Croxton; Cui; Cunningham; Currier; Cutler; Cvek; Cyders; Daldalian;
      Daly; D'Ambra; Danieli; Dante; Dapice; D'arcangelo; Das; Dasgupta;
      daSilva; Daskalu; David; Dawkins; Debroff; Dees; Defeciani; DeGennaro;
      DeLaPena; Delattre; del'Enclos; Deleon-Rendon; Delger; Dell'acqua;
      Deming; Dempster; Demusz; Denault; Denham; Denison; deRousse;
      Desombre; Deutsch; D'fini; Dicks; Diefenbach; Difabio; Difronzo;
      Dilworth; Dionysius; Dirksen; Dockery; Doherty; Donahue; Donner;
      Doonan; Dore; Dorf; Dosi; Doty; Doug; Dowsland; Drinker; D'souza;
      Duffin; Durrett; Dussault; Dwyer; Eardley; Ebeling; Eckel; Edley;
      Edner; Edward; Eickenhorst; Eliasson; Elmendorf; Elmerick; Elvis;
      Encinas; Enyeart; Eppling; Erbach; Erdman; Erdos; Erez; Espinoza;
      Estes; Etter; Euripides; Everett; Fabbris; Fagan; Faioes;
      Falco-Acosta; Falorsi; Faris; Farone; Farren; Fasso'; Fates;
      Feigenbaum; Fejzo; Feldman; Fernald; Fernandes; Ferrante; Ferriell;
      Feuer; Fido; Field; Fink; Finkelstein; Finnegan; Fiorina; Fisk;
      Fitzmaurice; Flier; Flores; Folks; Forester; Fortes; Fortier; Fossey;
      Fossi; Francisco; Franklin-Kenea; Franz; Frazier-Davis; Freid;
      Freundlich; Fried; Friedland; Frisken; Frowiss; Fryberger; Frye;
      Fujii-Abe; Fuller; Furth; Fusaro; Gabrielli; Gaggiotti; Galeotti;
      Galwey; Gambini; Garfield; Garman; Garonna; Geller; Gemberling;
      Georgi; Gerrett; Ghorai; Gibbens; Gibson; Gilbert; Gili; Gill;
      Gillispie; Gist; Gleason; Glegg; Glendon; Goldfarb; Goncalves;
      Gonzalez; Good; Goodearl; Goody; Gozzi; Gravell; Greenberg; Greenfeld;
      Griffiths; Grigoletto; Grummell; Gruner; Gruppe; Guenthart; Gunn; Guo;
      Ha; Haar; Hackman; Hackshaw; Haley; Halkias; Hallowell; Halpert;
      Hambarzumjan; Hamer; Hammerness; Hand; Hanssen; Harding; Hargraves;
      Harlow; Harrigan; Hartman; Hartmann; Hartnett; Harwell; Haviaras;
      Hawkes; Hayes; Haynes; Hazlewood; Heermans; Heft; Heiland; Hellman;
      Hellmiss; Helprin; Hemphill; Henery; Henrichs; Hernandez; Herrera;
      Hester; Heubert; Heyeck; Himmelfarb; Hind; Hirst; Hitchcock; Hoang;
      Hock; Hoffer; Hoffman; Hokanson; Hokoda; Holmes; Holoien; Holter;
      Holway; Holzman; Hooker; Hopkins; Horsley; Hoshida; Hostage; Hottle;
      Howard; Hoy; Huey; Huidekoper; Hungerford; Huntington; Hupp;
      Hurtubise; Hutchings; Hyde; Iaquinta; Ichikawa; Igarashi; Inamura;
      Inniss; Isaac; Isaievych; Isbill; Isserman; Iyer; Jacenko; Jackson;
      Jagers; Jagger; Jagoe; Jain; Jamil; Janjigian; Jarnagin; Jarrell; Jay;
      Jeffers; Jellis; Jenkins; Jespersen; Jewett; Johannesson; Johannsen;
      Johns; Jolly; Jorgensen; Jucks; Juliano; Julious; Kabbash; Kaboolian;
      Kafadar; Kalbfleisch; Kaligian; Kalil; Kalinowski; Kalman; Kamel;
      Kangis; Karpouzes; Kassower; Kasten; Kawachi; Kee; Keenan; Keepper;
      Keith; Kelker; Kelsey; Kempton; Kemsley; Kendall; Kerry; Keul; Khong;
      Kimmel; Kimmett; Kimura; Kindall; Kinsley; Kippenberger; Kirscht;
      Kittridge; Kleckner; Kleiman; Kleinfelder; Klemperer; Kling;
      Klinkenborg; Klint; Knuff; Kobrick; Koch; Kohn; Koivumaki; Kommer;
      Koniaris; Konrad; Kool; Korzybski; Kotter; Kovaks; Kraemer; Krailo;
      Krasney; Kraus; Kroemer; Krysiak; Kuenzli; Kumar; Kusman; Kuwabara;
      La; Labunka; Lafler; Laing; Lallemant; Landes; Lankes; Lantieri;
      Lanzit; Laserna; Lashley; Lawless; Lecar; Lecce; Leclercq; Leite;
      Lenard; l'Enclos; Lesser; Lessi; Liakos; Lidano; Liem; Light;
      Lightfoot; Lim; Linares; Linda; Linder; Line; Linehan; Linzee;
      Lippmann; Lipponen; Little; Litvak; Livernash; Livi; Livolsi; Lizardo;
      Locatelli; Longworth; Loss; Loveman; Lowenstein; Loza; Lubin; Lucas;
      Luciano; Luczkow; Luecke; Lunetta; Luoma; Lussier; Lutcavage; Luzader;
      Ma; Maccormac; Macdonald; Maceachern; Macintyre; Mackenney; MacMillan;
      Macy; Madigan; Maggio; Mahony; Maier; Maine-Hershey; Maisano;
      Malatesta; Maller; Malova; Manalis; Mandel; Manganiello; Mantovan;
      March; Marchbanks; Marcus; Margalit; Margetts; Marques; Martinez;
      Martochio; Marton; Marubini; Mass; Matalka; Matarazzo; Matsukata;
      Mattson; Mauzy; May; Mazzali; Mazziotta; Mcbride; Mccaffery; Mccall;
      Mcclearn; Mcdowell; Mcelroy; McFadden; Mcghee; Mcgoldrick; McIlroy;
      Mcintosh; Mckenna; Mclane; Mclaren; Mcnealy; Mcnulty; Meccariello;
      Memisoglu; Menzies; Merikoski; Merlani; Merminod; Merseth; Merz;
      Metelka; Metropolis; Meurer; Michelman; Middle; Mieher; Mills; Minh;
      Mini; Minichiello; Mitropoulos; Mittal; Mocroft; Modestino; Moeller;
      Mohr; Moiamedi; Monque; Montilio; MooreDeCh.; Morani; Moreton;
      Morrison; Morrow; Mortimer; Mosher; Mosler; Mostafavi; Motooka;
      Mudarri; Muello; Mugnai; Mulkern; Mulroy; Mumford; Mussachio; Naddeo;
      Napolitano; Nardi; Nardone; Naviaux; Nayduch; Nelson; Nenna; Nesci;
      Neuman; Newfeld; Newlin; Ng; Ni; Nickerson; Nickoloff; Nisenson;
      Nitabach; Notman; Nuzum; Ocougne; Ogata; Oh; O'hagan; Oldford; Olsen;
      Olson; Olszewski; O'malley; Oman; O'meara; Opel; Oray; Orfield; Orsi;
      Ospina; Ostrowski; Ottaviani; Otten; Ouchida; Ovid; PaesDealmeida;
      Paine; Palayoor; Palepu; Pallara; Palmitesta; Panadero; Panizzon;
      Pantilla; Paoletti; Parmeggiani; Parris; Partridge; Pascucci;
      Patefield; Patrick; Pattullo; Pavetti; Pavlon; Pawloski; Paynter;
      Peabody; Pearlberg; Pederson; Peishel; Penny; Pereira; Perko; Perlak;
      Perlman; Perna; Perone; Perrimon; Peters; Petruzello; Pettibone;
      Pettit; Pfister; Pilbeam; Pinot; Plancon; Plant; Plasket; Plous; Po;
      Pocobene; Poincaire; Pointer; Poirier; Polak; Polanyi; Politis; Poma;
      Poolman; Powers; Presper; Preucel; Prevost; Pritchard; Pritz;
      Proietti; Prothrow-Stith; Puccia; Pugh; Pynchon; Quaday; Quetin; Rabe;
      Rabkin; Radeke; Rajagopalan; Raney; Rangan; Rankin; Rapple; Rayport;
      Redden-Tyler; Reedquist; Reinold; Remak; Renick; Repetto; Resnik;
      Rhea; Richmond; Rielly; Rindos; Rineer; Rish; Rivera; Robinson; Rocha;
      Roesler; Rogers; Ronen; Row; Royal; Ru; Ruan; Ruderman; Ruescher;
      Rush; Ryu; Sabatello; Sadler; Safire; Sahu; Sali; Samson;
      Sanchez-Ramirez; Sanna; Sapers; Sarin; Sartore; Sase; Satin; Satta;
      Satterthwaite; Sawtell; Sayied; Scarponi; Scepan; Scharf; Scharlemann;
      Scheiner; Schiano; Schifini; Schilling; Schmitt; Schossberger;
      Schuman; Schutte; Schuyler; Schwan; Schwickrath; Scovel; Scudder;
      Seaton; Seeber; Segal; Sekler; Selvage; Sen; Sennett; Seterdahl;
      Sexton; Seyfert; Shaikh; Shakis; Shankland; Shanley; Shar; Shatrov;
      Shavelson; Shea; Sheats; Shepherd; Sheppard; Shepstone; Shesko; Shia;
      Shibata; Shimon; Siesto; Sigalot; Sigini; Signa; Silverman; Silvetti;
      Sinsabaugh; Sirilli; Sites; Skane; Skerry; Skoda; Sloan; Slowe;
      Smilow; Sniffen; Snodgrass; Socolow; Solon; Somers; Sommariva;
      Sorabella; Sorg; Sottak; Soukup; Soule; Soultanian; Spanier; Sparrow;
      Spaulding; Speizer; Spence; Sperber; Spicer; Spiegelhalter; Spiliotis;
      Spinrad; Stalvey; Stam; Stang; Stassinopolus; States; Statlender;
      Stefani; Steiner; Stephanian; Stepniewska; Stewart-Oaten; Stiepock;
      Stillwell; StMartin; Stock; Stockton; Stockwell; Stolzenberg; Stonich;
      Storer; Stott; Strange; Strauch; Streiff; Stringer; Sullivan; Sumner;
      Suo; Surdam; Sweeting; Sweetser; Swindle; Tagiuri; Tai; Talaugon;
      Tambiah; Tandler; Tanowitz; Tatar; Taveras; Tawn; Tcherepnin; Teague;
      Temes; Temmer; Tenney; Terracini; Than; Thavaneswaran; Theodos;
      Thibault; Thisted; Thomsen; Throop; Tierney; Till; Timmons; Tofallis;
      Tollestrup; Tolls; Tolman; Tomford; Toomer; Topulos; Torresi; Torske;
      Towler; Toye; Traebert; Trenga; Trewin; Tringali; Troiani; Troy;
      Truss; Tsiatis; Tsomides; Tsukurov; Tuck; Tudge; Tukan; Turano; Turek;
      Tuttle; Twells; Tzamarias; Ullman; Untermeyer; Upsdell; Urban;
      Urdang-Brown; Usdan; Uzuner; Vacca; Valberg; Valencia; vanAllen;
      Vandenberg; Vanheeckeren; VanZwet; Vasquez; Velasquez; Venne;
      Verghese; Viana; Viano; Viens; Vignola; Villarreal; Vitali; Viviani;
      Voigt; VonHoffman; Vorhaus; Votey; Waite; Wales; Wallenberg; Walter;
      Warshafsky; Wasowska; Waugh; Weighart; Weingarten; Weinhaus;
      Weissbourd; Weissman; Welles; Welsh; Wengret; Wescott; Wetzel;
      Whately; Whilton; White; Whitla; Whittaker; Wiedersheim; Wiener;
      Wilder; Wilhelm; Wilk; Wilkin; Wilkinson; Willstatter; Wilson; Wolk;
      Woo; Wooden; Woods; Woods-Powell; Yacono; Yamane; Yankee; Yarchuk;
      Yates; Ybarra; Yedidia; Yesson; Yetiv; Yoffe; Yoo; Youk-See; Yu;
      Zachary; Zahedi; Zangwill; ZeA; Zegans; Zerbini; Zoldak; Zucconi;
      Zurn; Zwiers; Zytowski

– Lista de utilizatori si parole:
   • 12; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
      12345678; 123456789; 1234567890; access; accounting; accounts; adm;
      administrador; administrat; administrateur; administrator; admins;
      asd; backup; bill; bitch; blank; bob; brian; changeme; chris; cisco;
      compaq; computer; control; data; database; databasepass;
      databasepassword; db1; db1234; db2; dba; dbpass; dbpassword; default;
      dell; demo; domain; domainpass; domainpassword; eric; exchange; fred;
      fuck; george; god; guest; hell; hello; home; homeuser; hp; ian; ibm;
      internet; intranet; jen; joe; john; kate; katie; lan; lee; linux;
      login; loginpass; luke; mail; main; mary; mike; neil; nokia; none;
      null; oem; oeminstall; oemuser; office; oracle; orainstall; outlook;
      owner; pass; pass1234; passwd; password; password1; peter; pwd; qaz;
      qwe; qwerty; sam; server; sex; siemens; slut; sql; sqlpassoainstall;
      staff; student; sue; susan; system; teacher; technical; test; unix;
      user; web; win2000; win2k; win98; windows; winnt; winpass; winxp; www;
      wwwadmin; xp; zxc

Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS01-059 (Unchecked Buffer in Universal Plug and Play)
– MS02-018 (Patch for Internet Information Service)
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– VX05-006 (Remote Heap Overflow la folosirea VERITAS Backup Exec Admin Plus Pack Option)
– Bagle backdoor (port 2745)
– Kuang backdoor (port 17300)
– Mydoom backdoor (port 3127)
– NetDevil backdoor (port 903)
– Optix backdoor (port 3140)
– SubSeven backdoor (port 27347)
– Administrare remote DameWare (port 6129)

Procesul de infectare:
Creeaza un script TFTP sau FTP pe masina afectata, pentru a descarca malware la distanta, pe un alt sistem.

Activare de la distanta:
–Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: suksa.mujas**********
Port: 28555
Canal: #y8#
Nick: r1%sir de 9 caractere aleatoare%
Parola: ahraz

– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Parole retinute
    • Captura ecranului
    • Captura imagine de pe webcam
    • Viteza procesorului
    • Utilizatorul curent
    • Informatii despre drivere
    • Spatiu liber pe disc
    • Memorie nealocata
    • Timpul de cand malware-ul a fost lansat in executie
    • Informatii despre retea
    • ID-ul platformei
    • Informatii despre procesele sistemului
    • Cantitatea de memorie
    • Director sistem
    • Utilizator
    • Activitatea utilizatorilor locali
    • Informatii despre sistemul de operare

– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • Lanseaza atacuri DDoS ICMP
    • Lanseaza atacuri DDoS SYN
    • Lanseaza atacuri DDoS TCP
    • Lanseaza atacuri DDoS UDP
    • dezactivare DCOM
    • dezactivarea partajarii de resurse in retea
    • deconectare server IRC
    • descarcare fisier
    • editare registru sistem
    • activare DCOM
    • activarea partajarii de resurse in retea
    • executarea unui fisier
    • intrare pe canal IRC
    • terminare proces
    • parasire canal IRC
    • deschidere consola
    • executare atac DDoS
    • Scaneaza reteaua
    • redirectionare porturi
    • Inregistreaza un serviciu
    • trimitere email-uri
    • Porneste keylog
    • Porneste rutina de raspandire
    • terminare proces malware
    • terminare proces
    • Se actualizeaza singur
    • Face upload la un fisier
    • Vizitarea unui website

Terminarea proceselor Lista cu procesele oprite:
   • i11r54n4.exe; irun4.exe; d3dupdate.exe; rate.exe; ssate.exe;
      winsys.exe; winupd.exe; SysMonXP.exe; bbeagle.exe; Penis32.exe;
      mscvb32.exe; sysinfo.exe; PandaAVEngine.exe; F-AGOBOT.EXE;
      HIJACKTHIS.EXE; _AVPM.EXE; _AVPCC.EXE; _AVP32.EXE; ZONEALARM.EXE;
      ZONALM2601.EXE; ZATUTOR.EXE; ZAPSETUP3001.EXE; ZAPRO.EXE;
      XPF202EN.EXE; WYVERNWORKSFIREWALL.EXE; WUPDT.EXE; WUPDATER.EXE;
      WSBGATE.EXE; WRCTRL.EXE; WRADMIN.EXE; WNT.EXE; WNAD.EXE; WKUFIND.EXE;
      WINUPDATE.EXE; WINTSK32.EXE; WINSTART001.EXE; WINSTART.EXE;
      WINSSK32.EXE; WINSERVN.EXE; WINRECON.EXE; WINPPR32.EXE; WINNET.EXE;
      WINMAIN.EXE; WINLOGIN.EXE; WININITX.EXE; WININIT.EXE; WININETD.EXE;
      WINDOWS.EXE; WINDOW.EXE; WINACTIVE.EXE; WIN32US.EXE; WIN32.EXE;
      WIN-BUGSFIX.EXE; WIMMUN32.EXE; WHOSWATCHINGME.EXE; WGFE95.EXE;
      WFINDV32.EXE; WEBTRAP.EXE; WEBSCANX.EXE; WEBDAV.EXE; WATCHDOG.EXE;
      W9X.EXE; W32DSM89.EXE; VSWINPERSE.EXE; VSWINNTSE.EXE; VSWIN9XE.EXE;
      VSSTAT.EXE; VSMON.EXE; VSMAIN.EXE; VSISETUP.EXE; VSHWIN32.EXE;
      VSECOMR.EXE; VSCHED.EXE; VSCENU6.02D30.EXE; VSCAN40.EXE; VPTRAY.EXE;
      VPFW30S.EXE; VPC42.EXE; VPC32.EXE; VNPC3000.EXE; VNLAN300.EXE;
      VIRUSMDPERSONALFIREWALL.EXE; VIR-HELP.EXE; VFSETUP.EXE; VETTRAY.EXE;
      VET95.EXE; VET32.EXE; VCSETUP.EXE; VBWINNTW.EXE; VBWIN9X.EXE;
      VBUST.EXE; VBCONS.EXE; VBCMSERV.EXE; UTPOST.EXE; UPGRAD.EXE;
      UPDATE.EXE; UPDAT.EXE; UNDOBOOT.EXE; TVTMD.EXE; TVMD.EXE; TSADBOT.EXE;
      TROJANTRAP3.EXE; TRJSETUP.EXE; TRJSCAN.EXE; TRICKLER.EXE; TRACERT.EXE;
      TITANINXP.EXE; TITANIN.EXE; TGBOB.EXE; TFAK5.EXE; TFAK.EXE;
      TEEKIDS.EXE; TDS2-NT.EXE; TDS2-98.EXE; TDS-3.EXE; TCM.EXE; TCA.EXE;
      TC.EXE; TBSCAN.EXE; TAUMON.EXE; TASKMON.EXE; TASKMO.EXE; TASKMG.EXE;
      SYSUPD.EXE; SYSTEM32.EXE; SYSTEM.EXE; SYSEDIT.EXE; SYMTRAY.EXE;
      SYMPROXYSVC.EXE; SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SWEEP95.EXE;
      SVSHOST.EXE; SVCHOSTS.EXE; SVCHOSTC.EXE; SVC.EXE; SUPPORTER5.EXE;
      SUPPORT.EXE; SUPFTRL.EXE; STCLOADER.EXE; START.EXE; ST2.EXE;
      SSG_4104.EXE; SSGRATE.EXE; SS3EDIT.EXE; SRNG.EXE; SREXE.EXE;
      SPYXX.EXE; SPOOLSV32.EXE; SPOOLCV.EXE; SPOLER.EXE; SPHINX.EXE;
      SPF.EXE; SPERM.EXE; SOFI.EXE; SOAP.EXE; SMSS32.EXE; SMS.EXE; SMC.EXE;
      SHOWBEHIND.EXE; SHN.EXE; SHELLSPYINSTALL.EXE; SH.EXE; SGSSFW32.EXE;
      SFC.EXE; SETUP_FLOWPROTECTOR_US.EXE; SETUPVAMEEVAL.EXE; SERVLCES.EXE;
      SERVLCE.EXE; SERVICE.EXE; SERV95.EXE; SD.EXE; SCVHOST.EXE; SCRSVR.EXE;
      SCRSCAN.EXE; SCANPM.EXE; SCAN95.EXE; SCAN32.EXE; SCAM32.EXE; SC.EXE;
      SBSERV.EXE; SAVENOW.EXE; SAVE.EXE; SAHAGENT.EXE; SAFEWEB.EXE;
      RUXDLL32.EXE; RUNDLL16.EXE; RUNDLL.EXE; RUN32DLL.EXE; RULAUNCH.EXE;
      RTVSCN95.EXE; RTVSCAN.EXE; RSHELL.EXE; RRGUARD.EXE; RESCUE32.EXE;
      RESCUE.EXE; REGEDT32.EXE; REGEDIT.EXE; REGED.EXE; REALMON.EXE;
      RCSYNC.EXE; RB32.EXE; RAY.EXE; RAV8WIN32ENG.EXE; RAV7WIN.EXE;
      RAV7.EXE; RAPAPP.EXE; QSERVER.EXE; QCONSOLE.EXE; PVIEW95.EXE;
      PUSSY.EXE; PURGE.EXE; PSPF.EXE; PROTECTX.EXE; PROPORT.EXE;
      PROGRAMAUDITOR.EXE; PROCEXPLORERV1.0.EXE; PROCESSMONITOR.EXE;
      PROCDUMP.EXE; PRMVR.EXE; PRMT.EXE; PRIZESURFER.EXE; PPVSTOP.EXE;
      PPTBC.EXE; PPINUPDT.EXE; POWERSCAN.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; POPSCAN.EXE; POPROXY.EXE; POP3TRAP.EXE; PLATIN.EXE;
      PINGSCAN.EXE; PGMONITR.EXE; PFWADMIN.EXE; PF2.EXE; PERSWF.EXE;
      PERSFW.EXE; PERISCOPE.EXE; PENIS.EXE; PDSETUP.EXE; PCSCAN.EXE;
      PCIP10117_0.EXE; PCFWALLICON.EXE; PCDSETUP.EXE; PCCWIN98.EXE;
      PCCWIN97.EXE; PCCNTMON.EXE; PCCIOMON.EXE; PCC2K_76_1436.EXE;
      PCC2002S902.EXE; PAVW.EXE; PAVSCHED.EXE; PAVPROXY.EXE; PAVCL.EXE;
      PATCH.EXE; PANIXK.EXE; PADMIN.EXE; OUTPOSTPROINSTALL.EXE;
      OUTPOSTINSTALL.EXE; OUTPOST.EXE; OTFIX.EXE; OSTRONET.EXE;
      OPTIMIZE.EXE; ONSRVR.EXE; OLLYDBG.EXE; NWTOOL16.EXE; NWSERVICE.EXE;
      NWINST4.EXE; NVSVC32.EXE; NVC95.EXE; NVARCH16.EXE; NUPGRADE.EXE;
      NUI.EXE; NTXconfig.EXE; NTVDM.EXE; NTRTSCAN.EXE; NT.EXE; NSUPDATE.EXE;
      NSTASK32.EXE; NSSYS32.EXE; NSCHED32.EXE; NPSSVC.EXE; NPSCHECK.EXE;
      NPROTECT.EXE; NPFMESSENGER.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NOTSTART.EXE; NORTON_INTERNET_SECU_3.0_407.EXE; NORMIST.EXE;
      NOD32.EXE; NMAIN.EXE; NISUM.EXE; NISSERV.EXE; NETUTILS.EXE;
      NETSTAT.EXE; NETSPYHUNTER-1.2.EXE; NETSCANPRO.EXE; NETMON.EXE;
      NETINFO.EXE; NETD32.EXE; NETARMOR.EXE; NEOWATCHLOG.EXE;
      NEOMONITOR.EXE; NDD32.EXE; NCINST4.EXE; NC2000.EXE; NAVWNT.EXE;
      NAVW32.EXE; NAVSTUB.EXE; NAVNT.EXE; NAVLU32.EXE;
      NAVENGNAVEX15.NAVLU32.EXE; NAVDX.EXE; NAVAPW32.EXE; NAVAPSVC.EXE;
      NAVAP.NAVAPSVC.EXE; AUTO-PROTECT.NAV80TRY.EXE; NAV.EXE; N32SCANW.EXE;
      MWATCH.EXE; MU0311AD.EXE; MSVXD.EXE; MSSYS.EXE; MSSMMC32.EXE;
      MSMSGRI32.EXE; MSMGT.EXE; MSLAUGH.EXE; MSINFO32.EXE; MSIEXEC16.EXE;
      MSDOS.EXE; MSDM.EXE; MSCONFIG.EXE; MSCMAN.EXE; MSCCN32.EXE;
      MSCACHE.EXE; MSBLAST.EXE; MSBB.EXE; MSAPP.EXE; MRFLUX.EXE;
      MPFTRAY.EXE; MPFSERVICE.EXE; MPFAGENT.EXE; MOSTAT.EXE; MOOLIVE.EXE;
      MONITOR.EXE; MMOD.EXE; MINILOG.EXE; MGUI.EXE; MGHTML.EXE; MGAVRTE.EXE;
      MGAVRTCL.EXE; MFWENG3.02D30.EXE; MFW2EN.EXE; MFIN32.EXE; MD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCUPDATE.EXE; MCTOOL.EXE; MCSHIELD.EXE;
      MCMNHDLR.EXE; MCAGENT.EXE; MAPISVC32.EXE; LUSPT.EXE; LUINIT.EXE;
      LUCOMSERVER.EXE; LUAU.EXE; LUALL.EXE; LSETUP.EXE; LORDPE.EXE;
      LOOKOUT.EXE; LOCKDOWN2000.EXE; LOCKDOWN.EXE; LOCALNET.EXE; LOADER.EXE;
      LNETINFO.EXE; LDSCAN.EXE; LDPROMENU.EXE; LDPRO.EXE; LDNETMON.EXE;
      LAUNCHER.EXE; KILLPROCESSSETUP161.EXE; KERNEL32.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-PF-213-EN-WIN.EXE; KEENVALUE.EXE; KAZZA.EXE; KAVPF.EXE;
      KAVPERS40ENG.EXE; KAVLITE40ENG.EXE; JEDI.EXE; JDBGMRG.EXE; JAMMER.EXE;
      ISTSVC.EXE; ISRV95.EXE; ISASS.EXE; IRIS.EXE; IPARMOR.EXE; IOMON98.EXE;
      INTREN.EXE; INTDEL.EXE; INIT.EXE; INFWIN.EXE; INFUS.EXE; INETLNFO.EXE;
      IFW2000.EXE; IFACE.EXE; IEXPLORER.EXE; IEDRIVER.EXE; IEDLL.EXE;
      IDLE.EXE; ICSUPPNT.EXE; ICSUPP95.EXE; ICMON.EXE; ICLOADNT.EXE;
      ICLOAD95.EXE; IBMAVSP.EXE; IBMASN.EXE; IAMSTATS.EXE; IAMSERV.EXE;
      IAMAPP.EXE; HXIUL.EXE; HXDL.EXE; HWPE.EXE; HTPATCH.EXE; HTLOG.EXE;
      HOTPATCH.EXE; HOTACTIO.EXE; HBSRV.EXE; HBINST.EXE;
      HACKTRACERSETUP.EXE; GUARDDOG.EXE; GUARD.EXE; GMT.EXE; GENERICS.EXE;
      GBPOLL.EXE; GBMENU.EXE; GATOR.EXE; FSMB32.EXE; FSMA32.EXE; FSM32.EXE;
      FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE; FSAV530STBYB.EXE;
      FSAV32.EXE; FSAV.EXE; FSAA.EXE; FRW.EXE; FPROT.EXE; FP-WIN_TRIAL.EXE;
      FP-WIN.EXE; FNRB32.EXE; FLOWPROTECTOR.EXE; FIREWALL.EXE; FINDVIRU.EXE;
      FIH32.EXE; FCH32.EXE; FAST.EXE; FAMEH32.EXE; F-STOPW.EXE;
      F-PROT95.EXE; F-PROT.EXE; F-AGNT95.EXE; EXPLORE.EXE; EXPERT.EXE;
      EXE.AVXW.EXE; EXANTIVIRUS-CNET.EXE; EVPN.EXE; ETRUSTCIPE.EXE;
      ETHEREAL.EXE; ESPWATCH.EXE; ESCANV95.EXE; ESCANHNT.EXE; ESCANH95.EXE;
      ESAFE.EXE; ENT.EXE; EMSW.EXE; EFPEADM.EXE; ECENGINE.EXE; DVP95_0.EXE;
      DVP95.EXE; DSSAGENT.EXE; DRWEBUPW.EXE; DRWEB32.EXE; DRWATSON.EXE;
      DPPS2.EXE; DPFSETUP.EXE; DPF.EXE; DOORS.EXE; DLLREG.EXE; DLLCACHE.EXE;
      DIVX.EXE; DEPUTY.EXE; DEFWATCH.EXE; DEFSCANGUI.EXE; DEFALERT.EXE;
      DCOMX.EXE; DATEMANAGER.EXE; Claw95.EXE; CWNTDWMO.EXE; CWNB181.EXE;
      CV.EXE; CTRL.EXE; CPFNT206.EXE; CPF9X206.EXE; CPD.EXE;
      CONNECTIONMONITOR.EXE; CMON016.EXE; CMGRDIAN.EXE; CMESYS.EXE;
      CMD32.EXE; CLICK.EXE; CLEANPC.EXE; CLEANER3.EXE; CLEANER.EXE;
      CLEAN.EXE; CLAW95CF.EXE; CFINET32.EXE; CFINET.EXE; CFIAUDIT.EXE;
      CFIADMIN.EXE; CFGWIZ.EXE; CFD.EXE; CDP.EXE; CCPXYSVC.EXE;
      CCEVTMGR.EXE; CCAPP.EXE; BVT.EXE; BUNDLE.EXE; BS120.EXE; BRASIL.EXE;
      BPC.EXE; BORG2.EXE; BOOTWARN.EXE; BOOTCONF.EXE; BLSS.EXE;
      BLACKICE.EXE; BLACKD.EXE; BISP.EXE; BIPCPEVALSETUP.EXE; BIPCP.EXE;
      BIDSERVER.EXE; BIDEF.EXE; BELT.EXE; BEAGLE.EXE; BD_PROFESSIONAL.EXE;
      BARGAINS.EXE; BACKWEB.EXE; AVXQUAR.EXE; AVXMONITORNT.EXE;
      AVXMONITOR9X.EXE; AVWUPSRV.EXE; AVWUPD32.EXE; AVWUPD.EXE; AVWINNT.EXE;
      AVWIN95.EXE; AVSYNMGR.EXE; AVSCHED32.EXE; AVPUPD.EXE; AVPTC32.EXE;
      AVPM.EXE; AVPDOS32.EXE; AVPCC.EXE; AVP32.EXE; AVP.EXE; AVNT.EXE;
      AVLTMAIN.EXE; AVKWCTl9.EXE; AVKSERVICE.EXE; AVKSERV.EXE; AVKPOP.EXE;
      AVGW.EXE; AVGUARD.EXE; AVGSERV9.EXE; AVGSERV.EXE; AVGNT.EXE;
      AVGCTRL.EXE; AVGCC32.EXE; AVE32.EXE; AVCONSOL.EXE; AUTOUPDATE.EXE;
      AUTOTRACE.EXE; AUTODOWN.EXE; AUPDATE.EXE; AU.EXE; ATWATCH.EXE;
      ATUPDATER.EXE; ATRO55EN.EXE; ATGUARD.EXE; ATCON.EXE; ARR.EXE;
      APVXDWIN.EXE; APLICA32.EXE; APIMONITOR.EXE; ANTS.EXE; ANTIVIRUS.EXE;
      ANTI-TROJAN.EXE; AMON9X.EXE; ALOGSERV.EXE; ALEVIR.EXE; ALERTSVC.EXE;
      AGENTW.EXE; AGENTSVR.EXE; ADVXDWIN.EXE; ADAWARE.EXE; ACKWIN32.EXE

Furt de informatii Incearca sa obtina urmatoarele informatii:
– Windows Product ID

– Urmatoarele CD-keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White;
      Command & Conquer Generals; Command and Conquer: Generals (Zero Hour);
      Command and Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
      Counter-Strike (Retail); Chrome; FIFA 2002; FIFA 2003; Freedom Force;
      Global Operations; Gunman Chronicles; Half-Life; Hidden & Dangerous 2;
      IGI 2: Covert Strike; Industry Giant 2; James Bond 007: Nightfire;
      Legends of Might and Magic; Medal of Honor: Allied Assault; Medal of
      Honor: Allied Assault: Breakthrough; Medal of Honor: Allied Assault:
      Spearhead; Nascar Racing 2002; Nascar Racing 2003; Need For Speed Hot
      Pursuit 2; Need For Speed: Underground; Neverwinter Nights;
      Neverwinter Nights (Hordes of the Underdark); Neverwinter Nights
      (Shadows of Undrentide); NHL 2003; NHL 2002; NOX; Rainbow Six III
      RavenShield; Shogun: Total War: Warlord Edition; Soldier of Fortune II
      - Double Helix; Soldiers Of Anarchy; The Gladiators; Unreal Tournament
      2003; Unreal Tournament 2004

– Monitorizeaza reteaua folosind un sniffer si cauta urmatoarele siruri de caractere:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

– O rutina de logare este pornita dupa ce un site este vizitat:
   • paypal.com

– Face captura la:
    • Datele introduse de la tastatura

Alte informatii Mutex:
Creeaza urmatorul mutex:
   • 3

Sir de caractere:
In plus, mai contine urmatoarele siruri de caractere:
   • 131.131.131.131
   • netninjaz_place
   • 12/12/04 13:13:13
   • netmaniac was here
   • neTmaNiac

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• NSPack

Description inserted by Daniel Constantin on Monday, April 17, 2006
Description updated by Andrei Ivanes on Friday, April 21, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools