Name:Worm/Scano.AB
Entdeckt am:24/10/2006
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Niedrig
Verbreitungspotenzial:Mittel bis hoch
Schadenspotenzial:Niedrig bis mittel
Statische Datei:Ja
Dateigröße:20.900 Bytes
MD5 Prüfsumme:e0ce6ec3ef1dd0db9ebc6bdb47664516
VDF Version:6.36.00.158
IVDF Version:6.36.00.175 - Freitag, 27. Oktober 2006

 General Verbreitungsmethoden:
   • Email
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Areses.gen
   •  Kaspersky: Email-Worm.Win32.Scano.x
   •  F-Secure: Email-Worm.Win32.Scano.x
   •  Panda: W32/Areses.BF.worm
   •  Grisoft: I-Worm/Scano.BC
   •  VirusBuster: I-Worm.Scano.BD
   •  Eset: Win32/Scano.NBC
   •  Bitdefender: Win32.Scano.AB@mm


Betriebsysteme:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Lädt eine Dateien herunter
   • Verfügt über eigene Email Engine
   • Änderung an der Registry

 Dateien Eine Kopie seiner selbst wird hier erzeugt:
   • %WINDIR%\csrss.exe




Es wird versucht folgende Datei herunterzuladen:

– Die URL ist folgende:
   • http://xe**********uo.com/m2/g.php
Zum Zeitpunkt der Analyse war diese Datei nicht verfügbar.

 Registry Der folgende Registryschlüssel wird hinzugefügt um den Prozess nach einem Neustart des Systems erneut zu starten.

– SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Debugger"="%WINDIR%\csrss.exe"



Folgender Registryschlüssel wird hinzugefügt:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe]
   • "Debugger"="%WINDIR%\csrss.exe"

 Email Die Malware verfügt über eine eigene SMTP engine um Emails zu versenden. Hierbei wird die Verbindung mit dem Zielserver direkt aufgebaut. Die Einzelheiten sind im Folgenden aufgeführt:


Von:
Die Absenderadresse wurde gefälscht.
Generierte Adressen. Bitte vermuten Sie nicht, dass es des Absenders Absicht war diese Email zu schicken. Es ist möglich, dass er nichts über seine Infektion weiß oder sogar nicht infiziert ist. Des Weiteren ist es möglich, dass Sie Emails bekommen in denen die Rede davon ist, dass Sie infiziert sind was möglicherweise auch nicht stimmt.


An:
– Email Adressen welche in ausgewählten Dateien auf dem System gefunden wurden.
– Generierte Adressen


Betreff:
Eine der folgenden:
   • Hi, what's up?
   • He, where are you?
   • Hi, drop me a line!!!
   • Hi! Please write to me urgently!
   • Hi! I'm waiting you online today!
   • Will you be online today?
   • When you're gonna answer me?
   • Re: write to me!
   • Re: Call me!
   • Re: Where are you?
   • Re: When you're gonna answer me?
   • Hi!!! How's the mood?
   • Re: How's the mood?
   • Re: Where have you been?



Body:
Der Body der Email ist einer der folgenden:
   • Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye
   • Hi, what's up? Will you show up online today?
   • Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?
   • Hi!
   • I'm coming to you tomorrow, ok? When you are going to be home?
   • You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...
   • Hi!
   • You disappeared again. If you come online, drop me a line, ok?
   • Btw, I sent you those docs that you've been looking for. Check them out. Bye!
   • Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!
   • Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.
   • Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!
   • Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!
   • Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!
   • Hi, I found that program you asked for. Find it attached. Bye.
   • Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...
   • What's up! You haven't been writing for a long time
   • I got news. I've finally that program you needed
   • I'm sending it out. Use it. Bye!
   • Hi, drop me a line today, ok? And see the program I'm sending. Bye!
   • Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.
   • Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.


Dateianhang:
Der Dateiname des Anhangs ist einer der folgenden:
   • Message
   • File
   • Document
   • README
   • Passwords
   • Readme
   • Important
   • New
   • COOL
   • Archive
   • Fotos
   • private
   • confidential
   • secret
   • images
   • your_documents
   • backup

    Die Dateierweiterung ist eine der folgenden:
   • .hta

Der Dateianhang ist eine Kopie der Malware.

 Versand Suche nach Adressen:
Es durchsucht folgende Dateien nach Emailadressen:
   • .adb; .asp; .cfg; .cgi; .mra; .dbx; .dhtm; .eml; .htm; .html; .jsp;
      .mbx; .mdx; .mht; .mmf; .msg; .nch; .ods; .oft; .php; .pl; .sht;
      .shtm; .stm; .tbb; .txt; .uin; .wab; .wsh; .xls; .xml; .dhtml


Vermeidet Adressen:
Es werden keine Emails an Adressen verschickt, die eine der folgenden Zeichenketten enthalten:
   • @example.; 2003; 2004; 2005; 2006; @microsoft; rating@; f-secur; news;
      update; .qmail; .gif; anyone@; bugs@; contract@; feste; gold-certs@;
      help@; info@; nobody@; noone@; 0000; Mailer-Daemon@; @subscribe; kasp;
      admin; icrosoft; support; ntivi; unix; bsd; linux; listserv; certific;
      torvalds@; sopho; @foo; @iana; free-av; @messagelab; winzip; google;
      winrar; samples; spm111@; ..; -0; .00; @.; ---; abuse; panda; cafee;
      spam; pgp; @avp.; noreply; local; root@; postmaster@; .0; .1; .2; .3;
      .4; .5; .6; .7; .8; .9

 P2P Um weitere Systeme im Peer to Peer Netzwerk zu infizieren wird folgendes unternommen:  


Es wird nach folgenden Verzeichnissen gesucht:
   • bear
   • donkey
   • download
   • ftp
   • htdocs
   • http
   • icq
   • kazaa
   • lime
   • morpheus
   • mule
   • shar
   • source
   • upload
   • pub
   • log

   War die Suche erfolgreich so werden folgende Dateien erstellt:
   • 1001 Sex and more.rtf.exe; 3D Studio Max 6 3dsmax.exe; ACDSee 10
      full.exe; Adobe Photoshop 10 full.exe; Adobe Premiere 10.exe; Ahead
      Nero 8.exe; Altkins Diet.doc.exe; American Idol.doc.exe; Arnold
      Schwarzenegger.jpg.exe; Best Matrix Screensaver new.exe; Britney sex
      xxx.jpg.exe; Britney Spears and Eminem porn.jpg.exe; Britney Spears
      blowjob.jpg.exe; Britney Spears cumshot.jpg.exe; Britney Spears
      fuck.jpg.exe; Britney Spears full album.mp3.exe; Britney Spears
      porn.jpg.exe; Britney Spears Sexy archive.doc.exe; Britney Spears Song
      text archive.doc.exe; Britney Spears.jpg.exe; Britney Spears.mp3.exe;
      Clone DVD 6.exe; Cloning.doc.exe; Cracks & Warez Archiv.exe; Dark
      Angels new.exe; Dictionary English 2004 - France.doc.exe; DivX 8.0
      final.exe; Doom 3 release 2.exe; DrWeb 4.7 Full installer.exe; E-Book
      Archive2.rtf.exe; Eminem blowjob.jpg.exe; Eminem full album.mp3.exe;
      Eminem Poster.jpg.exe; Eminem sex xxx.jpg.exe; Eminem Sexy
      archive.doc.exe; Eminem Spears porn.jpg.exe; Eminem.mp3.exe; Full
      album all.mp3.exe; Gimp 1.8 Full with Key.exe; Harry Potter 1-6
      book.txt.exe; Harry Potter 5.mpg.exe; Harry Potter all e.book.doc.exe;
      Harry Potter e book.doc.exe; Harry Potter game.exe; Harry
      Potter.doc.exe; Harry Potter and the Sorcerer's Stone game.exe; How to
      hack new.doc.exe; Internet Explorer 9 setup.exe; Kaspersky Internet
      Security 6.1 KeyALL.exe; Kaspersky`s Pub 6.0 Ultimate.exe; Kazaa Lite
      4.0 new.exe; Kazaa new.exe; Keygen 4 all new.exe; Learn Programming
      2004.doc.exe; Lightwave 9 Update.exe; Magix Video Deluxe 5 beta.exe;
      Matrix 3 .mpg.exe; Microsoft Office 2003 Crack best.exe; Microsoft
      WinXP Crack full.exe; MS Service Pack 6.exe; source code.exe; Norton
      Antivirus 2005 beta.exe; Opera 11 free.exe; Partitionsmagic 10
      beta.exe; Porno Screensaver britney.exe; RFC compilation.doc.exe;
      Ringtones.doc.exe; Nostradamus.doc.exe; World Trade Center last
      video.mpeg.exe; anthrax.doc.exe; Osama Bin Laden.jpg.exe; Taliban.exe;
      Osama bin Laden.mpg.exe; Yellow Pages.exe; Ringtones.mp3.exe; Saddam
      Hussein.jpg.exe; Screensaver2.exe; Serials edition.txt.exe; Smashing
      the stack full.rtf.exe; Star Office 9.exe; Teen Porn 15.jpg.exe; The
      Sims 4 beta.exe; Ulead Keygen 2004.exe; Visual Studio Net Crack
      all.exe; Vista review.doc.exe; WinAmp 13 full with sources.exe;
      Windows Vista Sourcecode.doc.exe; Windows 2003 crack.exe; Windows XP
      crack.exe; WinXP eBook newest.doc.exe; XXX hardcore pics.jpg.exe; From
      me with love.exe; 1001 Sex and more.rtf.pif; 3D Studio Max 6
      3dsmax.pif; ACDSee 10 full.pif; Adobe Photoshop 10 full.pif; Adobe
      Premiere 10.pif; Ahead Nero 8.pif; Altkins Diet.doc.pif; American
      Idol.doc.pif; Arnold Schwarzenegger.jpg.pif; Best Matrix Screensaver
      new.pif; Britney sex xxx.jpg.pif; Britney Spears and Eminem
      porn.jpg.pif; Britney Spears blowjob.jpg.pif; Britney Spears
      cumshot.jpg.pif; Britney Spears fuck.jpg.pif; Britney Spears full
      album.mp3.pif; Britney Spears porn.jpg.pif; Britney Spears Sexy
      archive.doc.pif; Britney Spears Song text archive.doc.pif; Britney
      Spears.jpg.pif; Britney Spears.mp3.pif; Clone DVD 6.pif;
      Cloning.doc.pif; Cracks & Warez Archiv.pif; Dark Angels new.pif;
      Dictionary English 2004 - France.doc.pif; DivX 8.0 final.pif; Doom 3
      release 2.pif; DrWeb 4.7 Full installer.pif; E-Book Archive2.rtf.pif;
      Eminem blowjob.jpg.pif; Eminem full album.mp3.pif; Eminem
      Poster.jpg.pif; Eminem sex xxx.jpg.pif; Eminem Sexy archive.doc.pif;
      Eminem Spears porn.jpg.pif; Eminem.mp3.pif; Full album all.mp3.pif;
      Gimp 1.8 Full with Key.pif; Harry Potter 1-6 book.txt.pif; Harry
      Potter 5.mpg.pif; Harry Potter all e.book.doc.pif; Harry Potter e
      book.doc.pif; Harry Potter game.pif; Harry Potter.doc.pif; Harry
      Potter and the Sorcerer's Stone game.pif; How to hack new.doc.pif;
      Internet Explorer 9 setup.pif; Kaspersky Internet Security 6.1
      KeyALL.pif; Kaspersky`s Pub 6.0 Ultimate.pif; Kazaa Lite 4.0 new.pif;
      Kazaa new.pif; Keygen 4 all new.pif; Learn Programming 2004.doc.pif;
      Lightwave 9 Update.pif; Magix Video Deluxe 5 beta.pif; Matrix 3
      .mpg.pif; Microsoft Office 2003 Crack best.pif; Microsoft WinXP Crack
      full.pif; MS Service Pack 6.pif; source code.pif; Norton Antivirus
      2005 beta.pif; Opera 11 free.pif; Partitionsmagic 10 beta.pif; Porno
      Screensaver britney.pif; RFC compilation.doc.pif; Ringtones.doc.pif;
      Nostradamus.doc.pif; World Trade Center last video.mpeg.pif;
      anthrax.doc.pif; Osama Bin Laden.jpg.pif; Taliban.pif; Osama bin
      Laden.mpg.pif; Yellow Pages.pif; Ringtones.mp3.pif; Saddam
      Hussein.jpg.pif; Screensaver2.pif; Serials edition.txt.pif; Smashing
      the stack full.rtf.pif; Star Office 9.pif; Teen Porn 15.jpg.pif; The
      Sims 4 beta.pif; Ulead Keygen 2004.pif; Visual Studio Net Crack
      all.pif; Vista review.doc.pif; WinAmp 13 full with sources.pif;
      Windows Vista Sourcecode.doc.pif; Windows 2003 crack.pif; Windows XP
      crack.pif; WinXP eBook newest.doc.pif; XXX hardcore pics.jpg.pif; From
      me with love.pif; 1001 Sex and more.rtf.scr; 3D Studio Max 6
      3dsmax.scr; ACDSee 10 full.scr; Adobe Photoshop 10 full.scr; Adobe
      Premiere 10.scr; Ahead Nero 8.scr; Altkins Diet.doc.scr; American
      Idol.doc.scr; Arnold Schwarzenegger.jpg.scr; Best Matrix Screensaver
      new.scr; Britney sex xxx.jpg.scr; Britney Spears and Eminem
      porn.jpg.scr; Britney Spears blowjob.jpg.scr; Britney Spears
      cumshot.jpg.scr; Britney Spears fuck.jpg.scr; Britney Spears full
      album.mp3.scr; Britney Spears porn.jpg.scr; Britney Spears Sexy
      archive.doc.scr; Britney Spears Song text archive.doc.scr; Britney
      Spears.jpg.scr; Britney Spears.mp3.scr; Clone DVD 6.scr;
      Cloning.doc.scr; Cracks & Warez Archiv.scr; Dark Angels new.scr;
      Dictionary English 2004 - France.doc.scr; DivX 8.0 final.scr; Doom 3
      release 2.scr; DrWeb 4.7 Full installer.scr; E-Book Archive2.rtf.scr;
      Eminem blowjob.jpg.scr; Eminem full album.mp3.scr; Eminem
      Poster.jpg.scr; Eminem sex xxx.jpg.scr; Eminem Sexy archive.doc.scr;
      Eminem Spears porn.jpg.scr; Eminem.mp3.scr; Full album all.mp3.scr;
      Gimp 1.8 Full with Key.scr; Harry Potter 1-6 book.txt.scr; Harry
      Potter 5.mpg.scr; Harry Potter all e.book.doc.scr; Harry Potter e
      book.doc.scr; Harry Potter game.scr; Harry Potter.doc.scr; Harry
      Potter and the Sorcerer's Stone game.scr; How to hack new.doc.scr;
      Internet Explorer 9 setup.scr; Kaspersky Internet Security 6.1
      KeyALL.scr; Kaspersky`s Pub 6.0 Ultimate.scr; Kazaa Lite 4.0 new.scr;
      Kazaa new.scr; Keygen 4 all new.scr; Learn Programming 2004.doc.scr;
      Lightwave 9 Update.scr; Magix Video Deluxe 5 beta.scr; Matrix 3
      .mpg.scr; Microsoft Office 2003 Crack best.scr; Microsoft WinXP Crack
      full.scr; MS Service Pack 6.scr; source code.scr; Norton Antivirus
      2005 beta.scr; Opera 11 free.scr; Partitionsmagic 10 beta.scr; Porno
      Screensaver britney.scr; RFC compilation.doc.scr; Ringtones.doc.scr;
      Nostradamus.doc.scr; World Trade Center last video.mpeg.scr;
      anthrax.doc.scr; Osama Bin Laden.jpg.scr; Taliban.scr; Osama bin
      Laden.mpg.scr; Yellow Pages.scr; Ringtones.mp3.scr; Saddam
      Hussein.jpg.scr; Screensaver2.scr; Serials edition.txt.scr; Smashing
      the stack full.rtf.scr; Star Office 9.scr; Teen Porn 15.jpg.scr; The
      Sims 4 beta.scr; Ulead Keygen 2004.scr; Visual Studio Net Crack
      all.scr; Vista review.doc.scr; WinAmp 13 full with sources.scr;
      Windows Vista Sourcecode.doc.scr; Windows 2003 crack.scr; Windows XP
      crack.scr; WinXP eBook newest.doc.scr; XXX hardcore pics.jpg.scr; From
      me with love.scr

   Diese Dateien sind Kopien der eigenen Malware Datei

 Injektion – Es injiziert sich in einen Prozess.

    Alle der folgenden Prozesse:
   • svchost.exe
   • services.exe


 Datei Einzelheiten Programmiersprache:
 Das Malware-Programm wurde in MS Visual C++ geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Größe der Datei zu reduzieren wurde sie mit folgendem Laufzeitpacker gepackt:
   • Upack

Description inserted by Ana Maria Niculescu on Friday, October 5, 2007
Description updated by Andrei Gherman on Thursday, October 18, 2007

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.