English
Deutsch
Español
Italian
Home
Virus Info
Worm/Nanspy.D
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Nanspy.D - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Nanspy.D
Date discovered:
07/10/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Low to medium
Static file:
Yes
File size:
34.368 Bytes
MD5 checksum:
3BDA9B1A7B39CD7DDF978A7084A298A5
VDF version:
6.30.0.235
General
Method of propagation:
• Local network
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Blocks access to certain websites
• Downloads a malicious file
• Registry modification
• Makes use of software vulnerability
Files
It copies itself to the following location:
•
%SYSDIR%
\mmsvc32.exe
It tries to download some files:
– The location is the following:
• http://web.**********.com/bbot.exe
It is saved on the local hard drive under:
%SYSDIR%
\bbot.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as:
BDS/Nanspy.C
– The locations are the following:
• http://nnpy.**********.com/lipscr2.php
• http://www.**********.com/sdata.txt
• http://nnpyev.**********.com/wad/nnpy.txt
• http://nnpytmp.**********.com/nnpyk2.php?action=knock
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Network Services Controller"="
%SYSDIR%
\mmsvc32.exe"
The values of the following registry key are removed:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• Microsoft IIS
• PayTime
• lp3mr1sh
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
Exploit:
It makes use of the following Exploit:
–
MS03-026
(Buffer Overrun in RPC Interface)
IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
The downloaded file is stored on the compromised machine as:
%system drive root%
\mmf32.exe
Hosts
The host file is modified as explained:
– In this case existing entries are deleted.
– Access to the following domains are redirected to other destinations:
• lloydstsb.co.uk; online.lloydstsb.co.uk; www.lloydstsb.co.uk;
www.lloydstsb.com; personal.barclays.co.uk; barclays.co.uk;
ibank.barclays.co.uk; www.barclays.co.uk; www.nwolb.com; nwolb.com;
hsbc.co.uk; www.hsbc.co.uk; abbey.com; www.abbey.com; www.abbey.co.uk;
abbey.co.uk; cahoot.com; www.cahoot.com; www.cahoot.co.uk;
cahoot.co.uk; www.co-operativebank.co.uk; co-operativebank.co.uk;
www.co-operativebank.com; co-operativebank.com;
welcome2.co-operativebankonline.co.uk;
welcome6.co-operativebankonline.co.uk;
welcome8.co-operativebankonline.co.uk;
welcome10.co-operativebankonline.co.uk; www.smile.co.uk; smile.co.uk;
www.cajamar.es; cajamar.es; www.cajamar.com; www.unicaja.es;
unicaja.es; www.unicaja.com; unicaja.com; www.caixagalicia.es;
caixagalicia.es; www.caixagalicia.com; caixagalicia.com;
activa.caixagalicia.es; www.caixapenedes.es; caixapenedes.es;
www.caixapenedes.com; caixapenedes.com; bancae.caixapenedes.com;
www.caixasabadell.es; caixasabadell.es; www.caixasabadell.net;
caixasabadell.net; www.cajamadrid.es; cajamadrid.es;
www.cajamadrid.com; cajamadrid.com; oi.cajamadrid.es; www.ccm.es;
ccm.es; www.haspa.de; haspa.de; ssl2.haspa.de; www.dresdner-bank.de;
dresdner-bank.de; www.dresdner-privat.de; postbank.de;
www.postbank.de; banking.postbank.de; www.sparda-b.de; sparda-b.de;
www.bankingonline.de; www.raiffeisenbank-erding.de;
raiffeisenbank-erding.de; www.vr-networld-ebanking.de;
vr-networld-ebanking.de; www.bnhof.de; bnhof.de; www.deutsche-bank.de;
deutsche-bank.de; meine.deutsche-bank.de; www.citibank.de;
citibank.de; cipehb13.cdg.citibank.de; www.dkb.de; dkb.de;
www.sparkasse-regensburg.de; sparkasse-regensburg.de;
www.berliner-bank.de; berliner-bank.de; www.berliner-sparkasse.de;
berliner-sparkasse.de
The modified host file will look like this:
Process termination
List of processes that are terminated:
• ftp.exe
• tftp.exe
• nh.exe
• nethost.exe
• syshost.exe
• ppc.exe
• paytime.exe
• lp3mr1sh.exe
• tibs.exe
File details
Programming language:
The malware program was written in Delphi.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Andrei Gherman on Mon, 10 Oct 2005 07:25 (GMT+1)
Description updated by Andrei Gherman on Wed, 12 Oct 2005 16:34 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/KillAV.GR
Worm/Mytob.AP
Worm/Mytob.AT
TR/Crypt.PEPM.Gen
TR/Vundo.ewz.9
TR/Monderb.318720
Worm/IrcBot.39673.1
TR/PSW.Steam.DU
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Nanspy.D
Print this page
.gif)
