Full description

Nume:	VBS/Small.Sasan.A
Descoperit pe data de:	08/11/2007
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut spre mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	10.164 Bytes
MD5:	efe528483fd3c6ed75a8c1e016026e10
Versiune VDF:	7.00.00.185
Versiune IVDF:	7.00.00.192 - Thursday, November 8, 2007

General Metoda de raspandire:
   • Discuri de retea mapate

Alias:
   • Sophos: VBS/Sasan-Fam
   • Grisoft: VBS/LoveLetter

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier
   • Modificari in registri

Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:

   Merlin: Huh..Banjarbaru makin panas aja ya
   Merlin: It's now time to work. Jangan ngerumpi mulu..
   Merlin: Hope you enjoy today.
   Merlin: Komputernya ta dinginin dulu OK
   Merlin: Cape dech, Bye Bye Ahh!

Fisiere Se copiaza in urmatoarele locatii:
   • %sysdir%\ctfmon.exe.vbe
   • %unitate disc%\Thumbs.db.vbe
   • %unitate disc%\%fisier sters%.vbe

Scaneaza urmatorul director:
   • %unitate disc%\

Vizeaza urmatoarele tipuri de fisiere:
   • .doc
   • .docx
   • .xls
   • .ppt
   • .jpg
   • .bmp
   • .3gp
   • .rm

Fisierul original este apoi sters.

Este creat fisierul:

– %unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • [autorun]
     shellexecute=wscript.exe Thumbs.db.vbe

Incearca se execute urmatorul fisier:

– Numele fisierului:
   • %sysdir%\cmd.exe
cu urmatorii parametri: shutdown -s -t 00 -f -m

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • CTFMon="%sysdir%\ctfmon.exe.vbe"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Advanced]
   • Hidden=dword:00000002

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmd.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\install.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedt32.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegistryEditor.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\setup.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\setup32.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG 7.5.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-CLN.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-RTP.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ANSAV.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\run.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgw.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free Edition.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVG Free Edition Test Centre.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Avg Free Control Center.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vbren.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kaspersky.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kaspersky 6.0.2.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PC Tools.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVAST.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CAV.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McAfee.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McAfee VirusScan.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Symantec.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Norman.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities 2006.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp Utilities 2007.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Stars TuneUp Utilities.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Fix the BRONTOK.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NOD32.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\hijack.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navw32.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\griso.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\samdAV 3.3.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\samdAV 3.2.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\smadAV.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\
   Avira Antivir PersonalEdition Classic.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AntiVir.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Avira.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procmon.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DiskCleaner.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegistryCleaner.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\StarUpManager.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp RescueCenter.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RescueCenter.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TuneUp RegistryEditor.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgcc.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPTray.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPDN_LU.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPC32.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TweakUI for Windows XP.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TweakUI.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSConfig CleanUp.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCleaner.exe]
   • Debugger="notepad.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Itegrator.exe]
   • Debugger="notepad.exe"

Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Noua valoare:
   • NoDriveTypeAutoRun=dword:00000000
   • NoFind=dword:00000001
   • NoFolderOptions=dword:00000001
   • NoRun=dword:00000001
   • NoViewContextMenu=dword:00000001

– [HKCR\VBEFile\DefaultIcon]
   Noua valoare:
   • (Default)=shell32.dll,-50

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • Hidden= %setarile utilizatorului%
     HideFileExt= %setarile utilizatorului%
     SuperHidden= %setarile utilizatorului%
   Noua valoare:
   • Hidden=dword:00000000
     HideFileExt=dword:00000001
     SuperHidden=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • DisableRegistryTools= %setarile utilizatorului%
     DisableTaskMgr= %setarile utilizatorului%
   Noua valoare:
   • DisableRegistryTools=dword:00000001
     DisableTaskMgr=dword:00000001

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Monica Ghitun on Friday, November 9, 2007
Description updated by Monica Ghitun on Friday, November 9, 2007

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools