Descripción completa

Nume:	Worm/Warezov.DLL.C
Descoperit pe data de:	22/09/2006
Tip:	Vierme
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	153.128 Bytes
MD5:	6d5b6945f50dc801208525936d5c24b9
Versiune VDF:	6.36.00.50
Versiune IVDF:	6.36.00.61 - martes 26 de septiembre de 2006

General Metoda de raspandire:
   • Email

Alias:
   • Mcafee: W32/Stration@MM
   • Kaspersky: Email-Worm.Win32.Warezov.ab
   • TrendMicro: WORM_STRATION.BC
   • F-Secure: Email-Worm.Win32.Warezov.ab
   • Eset: Win32/Stration.AR

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarea locatie:
   • %WINDIR%\tsrv.exe

Sunt create fisierele:

– Un fisier care contine adrese de e-mail:
   • %WINDIR%\tsrv.wax

– %HOME%\Desktop\%combinatie de doua caractere aleatoare%.tmp Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %combinatie de caractere aleatoare%

– %SYSDIR%\msji449c14b7.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Stration

– %SYSDIR%\cmut449c14b7.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB

– %SYSDIR%\hpzl449c14b7.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB.2

– %WINDIR%\tsrv.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Warezov.AB.1

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "tsrv"="%WINDIR%\tsrv.exe s"

Urmatoarea cheie din registri este modificata:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Vechea valoare:
   • "AppInit_DLLs"=""
   Noua valoare:
   • "AppInit_DLLs"=" msji449c14b7.dll"

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.
Adrese generate. Va rugam nu presupuneti ca a fost intentia expeditorului sa va trimita acest email. Este posibil ca el sa nu stie ca este infectat sau chiar sa nu aiba sistemul infectat. In plus, este posibil sa primiti email-uri returnate care sa va indice ca sunteti infectat, lucru care poate fi de asemenea fals.

Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)
– Adrese generate

Formatul email-urilor:

De la: sec@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.

     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.

     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe

De la: secur@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.

     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.

     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe

De la: serv@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.

     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.

     Best regards,
     Customers support service
Atasament:
   • Update-KB%numar%-x86.exe

Subiect:
Unul din urmatoarele:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test

Corpul email-ului:
Corpul email-ului este unul din textele:

   • Mail transaction failed. Partial message is available.

   • The message cannot be represented in 7-bit ASCII encoding
     and has been sent as a binary attachment

   • The message contains Unicode characters and has been sent
     as a binary attachment.

Atasament:
Numele fisierelor atasate este alcatuit dupa cum urmeaza:

– Incepe cu unul din urmatoarele:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Urmat de una din urmatoarele extensii false:
   • .elm
   • .msg
   • .dat
   • .txt
   • .log

    Extensia fisierului este una din urmatoarele:
   • .bat
   • .exe
   • .scr
   • .cmd
   • .pif

Atasamentul este o copie malware.

Email-ul poate arata ca unul din urmatoarele:

Fisiere host Fisierul

– In acest caz inregistrarile existente raman nemodificate.

– Accesul la urmatoarele domenii este blocat:
   • download.microsoft.com; go.microsoft.com; msdn.microsoft.com;
      office.microsoft.com; windowsupdate.microsoft.com;
      http://www.microsoft.com/downloads/Search.aspx?displaylang=en; avp.ru;
      www.avp.ru; http://avp.ru; http://www.avp.ru; kaspersky.ru;
      www.kaspersky.ru; http://kaspersky.ru; kaspersky.com;
      www.kaspersky.com; http://kaspersky.com; kaspersky-labs.com;
      www.kaspersky-labs.com; http://kaspersky-labs.com; avp.ru/download/;
      www.avp.ru/download/; http://www.avp.ru/download/;
      http://www.kaspersky.ru/updates/;
      http://www.kaspersky-labs.com/updates/; http://kaspersky.ru/updates/;
      http://kaspersky-labs.com/updates/; downloads1.kaspersky-labs.com;
      downloads2.kaspersky-labs.com; downloads3.kaspersky-labs.com;
      downloads4.kaspersky-labs.com; downloads5.kaspersky-labs.com;
      http://downloads1.kaspersky-labs.com;
      http://downloads2.kaspersky-labs.com;
      http://downloads3.kaspersky-labs.com;
      http://downloads4.kaspersky-labs.com;
      http://downloads5.kaspersky-labs.com;
      downloads1.kaspersky-labs.com/products/;
      downloads2.kaspersky-labs.com/products/;
      downloads3.kaspersky-labs.com/products/;
      downloads4.kaspersky-labs.com/products/;
      downloads5.kaspersky-labs.com/products/;
      http://downloads1.kaspersky-labs.com/products/;
      http://downloads2.kaspersky-labs.com/products/;
      http://downloads3.kaspersky-labs.com/products/;
      http://downloads4.kaspersky-labs.com/products/;
      http://downloads5.kaspersky-labs.com/products/;
      downloads1.kaspersky-labs.com/updates/;
      downloads2.kaspersky-labs.com/updates/;
      downloads3.kaspersky-labs.com/updates/;
      downloads4.kaspersky-labs.com/updates/;
      downloads5.kaspersky-labs.com/updates/;
      http://downloads1.kaspersky-labs.com/updates/;
      http://downloads2.kaspersky-labs.com/updates/;
      http://downloads3.kaspersky-labs.com/updates/;
      http://downloads4.kaspersky-labs.com/updates/;
      http://downloads5.kaspersky-labs.com/updates/;
      ftp://downloads1.kaspersky-labs.com;
      ftp://downloads2.kaspersky-labs.com;
      ftp://downloads3.kaspersky-labs.com;
      ftp://downloads4.kaspersky-labs.com;
      ftp://downloads5.kaspersky-labs.com;
      ftp://downloads1.kaspersky-labs.com/products/;
      ftp://downloads2.kaspersky-labs.com/products/;
      ftp://downloads3.kaspersky-labs.com/products/;
      ftp://downloads4.kaspersky-labs.com/products/;
      ftp://downloads5.kaspersky-labs.com/products/;
      ftp://downloads1.kaspersky-labs.com/updates/;
      ftp://downloads2.kaspersky-labs.com/updates/;
      ftp://downloads3.kaspersky-labs.com/updates/;
      ftp://downloads4.kaspersky-labs.com/updates/;
      ftp://downloads5.kaspersky-labs.com/updates/;
      http://updates.kaspersky-labs.com/updates/;
      http://updates1.kaspersky-labs.com/updates/;
      http://updates2.kaspersky-labs.com/updates/;
      http://updates3.kaspersky-labs.com/updates/;
      http://updates4.kaspersky-labs.com/updates/;
      ftp://updates.kaspersky-labs.com/updates/;
      ftp://updates1.kaspersky-labs.com/updates/;
      ftp://updates2.kaspersky-labs.com/updates/;
      ftp://updates3.kaspersky-labs.com/updates/;
      ftp://updates4.kaspersky-labs.com/updates/; viruslist.com;
      www.viruslist.com; http://viruslist.com; viruslist.ru;
      www.viruslist.ru; http://viruslist.ru;
      ftp://ftp.kasperskylab.ru/updates/; symantec.com; www.symantec.com;
      http://symantec.com; customer.symantec.com;
      http://customer.symantec.com; liveupdate.symantec.com;
      http://liveupdate.symantec.com; liveupdate.symantecliveupdate.com;
      http://liveupdate.symantecliveupdate.com;
      securityresponse.symantec.com; http://securityresponse.symantec.com;
      service1.symantec.com; http://service1.symantec.com;
      symantec.com/updates; http://symantec.com/updates;
      updates.symantec.com; http://updates.symantec.com; eset.com/;
      www.eset.com/; http://www.eset.com/; eset.com/products/index.php;
      www.eset.com/products/index.php;
      http://www.eset.com/products/index.php; eset.com/download/index.php;
      www.eset.com/download/index.php;
      http://www.eset.com/download/index.php; eset.com/joomla/;
      www.eset.com/joomla/; http://www.eset.com/joomla/; u3.eset.com/;
      http://u3.eset.com/; u4.eset.com/; http://u4.eset.com/;
      www.symantec.com/updates

Fisierul hosts modificat va arata astfel:

Injectarea codului malware in alte procese – Injecteaza fisierul urmator intr-un proces: tsrv.dll

Numele procesului:
• %toate procesele active%

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• MEW

Descripción insertada por Adriana Popa el martes 26 de septiembre de 2006
Descripción actualizada por Adriana Popa el martes 26 de septiembre de 2006

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas