¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:W32/Deborm.worm, W32.HLLW.Nebiwo
Type:Worm 
Size:variable 
Origin: 
Date:00-00-0000 
Damage:Spreads over shared networks. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionIP addresses:

inc (IP4)
if IP4 <= 240 then
attack %generated_IP_address%
else
IP4 = 1
inc (IP3)
if IP3 <= 240 then
attack %generated_IP_address%
else
IP3 = 0
inc (IP2)
if IP2 <= 240 then
attack %generated_IP_address%
else
IP2 = 0
inc (IP1)
if IP1 <= 240 then
attack %generated_IP_address%
else
IP1 = 10
endif
endif
endif
endif

Usernames:
Administrator
Guest
Owner

If connection succeeds, the worm creates the following files:
-%connected_resource%\Winnt\Profiles\All Users\Start Menu\Programs\Startup\%worm_filename%
-%connected_resource%\Windows\Start Menu\Programs\Startup\%worm_filename%
-%connected_resource%\Documents and Settings\All Users\Start Menu\Programs\Startup\%worm_filename%

Where %connected_resource% is one of the following networks:
%generated_IP_address%\C
%generated_IP_address%\C$

and %worm_filename% is the name of the opened file W32.HLLW.Nebiwo. For example:
oocfwm.exe
results.exe
~2.EXE
lknq.exe
oocfwm.exe
gwigsb.exe

Technical DetailsWhen activated, the worm drops and executes Backdoor.Sdbot, Backdoor.Litmus (2), und Trojan.KillAV. If the opened system is Windows 95/98/Me, it registers as service process. It is not visible in Task list and it contiues to run after log out. In this case, the worm stops after system shut-down.

It enters in the autostart registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"NAV Live Update"="%path to worm%"
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.