Virus:Worm/Scano.L
Date discovered:27/04/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:18.346 Bytes
MD5 checksum:c6681169cc2f1e40fe3dd47bb49d83f0
VDF version:6.34.01.14 - Thursday, April 27, 2006
IVDF version:6.34.01.14 - Thursday, April 27, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Areses.f
   •  TrendMicro: WORM_BAGLE.EP
   •  Sophos: W32/Bagle-GY
   •  VirusBuster: I-Worm.Scano.H
   •  Eset: Win32/Scano.L
   •  Bitdefender: Win32.Worm.Scano.L

It was previously detected as:
   •  HTML/Drop.Scan.AD.1


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\csrss.exe



It copies itself within an archive to the following location:
   • %TEMPDIR%\Message.zip




It tries to download some files:

– The location is the following:
   • http://207.46.250.119/g/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.microsoft.com/g/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://84.22.161.192/s/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe
   • "Debugger"="%WINDIR%\csrss.exe"



The values of the following registry keys are removed:

–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\
   PendingFileRenameOperations
–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Приветик, как твои дел?
   • ЙЫЛЙ?
   • Привет, ты где?
   • Привет, напиши мне!!!
   • Привет! Срочно напиши м!
   • не!
   • дешь?
   • Re: напиши мне!
   • Re: Позвони мне!
   • Re: Ты где?
   • Re: Когда ты мне ответиш
   • Re: Как настроение?
   • Re: Где пропадаешь?



Body:
–  In some cases it may be empty.

 
The body of the email is one of the lines:
   • Привет! Я сегодня жду те
   • Сегодня в интернете бу
   • Когда мне напишишь?
   • Приветик!!! Как настроен


Attachment:
The filename of the attachment is one of the following:
   • Message.zip
   • File.zip
   • Document.zip
   • README.zip
   • Passwords.zip
   • Readme.zip
   • Important.zip
   • New.zip
   • COOL.zip
   • Archive.zip
   • Fotos.zip
   • private.zip
   • confidential.zip
   • secret.zip
   • images.zip
   • your_documents.zip
   • backup.zip

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .adb; .asp; .cfg; .cgi; .mra; .dbx; .dhtm; .eml; .htm; .html; .jsp;
      .mbx; .mdx; .mht; .mmf; .msg; .nch; .ods; .oft; .php; .pl; .sht;
      .shtm; .stm; .tbb; .txt; .uin; .wab; .wsh; .xls; .xml; .dhtml


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @microsoft; rating@; f-secur; news; update; .qmail; .gif; anyone@;
      bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
      0000; Mailer-Daemon@; @subscribe; kasp; admin; icrosoft; support;
      ntivi; unix; bsd; linux; listserv; certific; torvalds@; sopho; @foo;
      @iana; free-av; @messagelab; winzip; google; winrar; samples; spm111@;
      .00; abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@

 Injection –  It injects the following file into a process: %WINDIR%\csrss.exe

    All of the following processes:
   • services.exe
   • svchost.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Tuesday, September 12, 2006
Description updated by Irina Boldea on Tuesday, September 12, 2006

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.