English
Deutsch
Español
Italian
Home
Virus Info
Worm/Locksky.BG.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Locksky.BG.1 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Locksky.BG.1
Date discovered:
08/08/2007
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
16.384 Bytes
MD5 checksum:
3de189722f632d2a6b3a08c49e7db6b6
VDF version:
6.38.01.081
IVDF version:
6.38.01.085
General
Method of propagation:
• Email
Aliases:
• Mcafee: W32/Loosky
• Kaspersky: Email-Worm.Win32.Locksky.bg
• F-Secure: Email-Worm.Win32.Locksky.bg
• Panda: W32/LockSky.DY.worm
• Grisoft: I-Worm/Locksky.CW
• Eset: Win32/Spabot.U
• Bitdefender: Win32.Locksky.BF
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads a malicious file
• Uses its own Email engine
• Lowers security settings
• Registry modification
• Steals information
Files
It copies itself to the following location:
•
%SYSDIR%
\spoolsvv.exe
It tries to download a file:
– The location is the following:
• http://5sec.name/panel/**********
At the time of writing this file was not online for further investigation.
It tries to executes the following file:
– Filename:
• %sysdir%\netsh.exe
using the following command line arguments: firewall set allowedprogram "
%malware execution directory%
\
%executed file%
" enable
Registry
The following registry key is added in order to run the process after reboot:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "spoolsvv"="
%SYSDIR%
\spoolsvv.exe"
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
The sender address is spoofed.
To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
Attachment:
The attachment is a copy of the malware itself.
Mailing
Search addresses:
It searches the following file for email addresses:
• htm
Address generation for FROM field:
To generate addresses it uses the following strings:
• admin
• webmaster
• support
Backdoor
Contact server:
All of the following:
• http://5sec.name/panel/**********
• http://5sec.name/panel/**********
• http://5sec.name/panel/**********
As a result it may send some information.
Sends information about:
• Created logfiles
• IP address
• Current malware status
• System time
Miscellaneous
Mutex:
It creates the following Mutex:
• !aBirValG!
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Monica Ghitun on Tue, 06 Nov 2007 13:50 (GMT+1)
Description updated by Andrei Gherman on Thu, 08 Nov 2007 08:46 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
Worm/Mytob.BQ
W32/Elkern.C
Worm/Mytob.AD
Worm/Netsky.D.Dam
TR/Delf.Agent.ABC
TR/Agent.284658
TR/Dldr.Tiny.brm
Worm/Autorun.FY.1
JS/Dldr.Iframe.BM
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Locksky.BG.1
Print this page
.gif)
