Descripción completa

Nume:	Worm/VanBot.O
Descoperit pe data de:	25/09/2006
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	312.749 Bytes
MD5:	64a65de5da0D6907adc0186025172daf
Versiune VDF:	6.36.00.56
Versiune IVDF:	6.36.00.67 - jueves 28 de septiembre de 2006

General Metoda de raspandire:
   • Reteaua locala

Alias:
   • Mcafee: W32/Sdbot.worm!MS06-040
   • Kaspersky: Backdoor.Win32.VanBot.o
   • F-Secure: Backdoor.Win32.VanBot.o
   • Sophos: W32/Rbot-FON
   • VirusBuster: Worm.RBot.FZD
   • Eset: Win32/Rbot
   • Bitdefender: Backdoor.Vanbot.A

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri
   • Profita de vulnerabilitatile softului
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarea locatie:
• %SYSDIR%\dhcpserv.exe

Sterge copia initiala a virusului.

Sunt create fisierele:

– Un fisier temporar care poate fi sters dupa aceea:
• %TEMPDIR%\1.reg

– %SYSDIR%\SVKP.sys Fisierul este executat dupa ce a fost creat.
– C:\a.bat

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Windows APCI Verifier"="dhcpserv.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   • "Windows APCI Verifier"="dhcpserv.exe"

Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:

– HKLM\SYSTEM\CurrentControlSet\Services\SVKP
   • "Type"=dword:00000001
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="\??\%SYSDIR%\SVKP.sys"
   • "DisplayName"="SVKP"

– HKLM\SYSTEM\CurrentControlSet\Services\SVKP\Enum
   • "0"="Root\LEGACY_SVKP\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Services\SVKP\Security
   • "Security"=%valori hex%

Urmatoarele chei sunt adaugate in registrii sistemului:

– HKLM\SOFTWARE\Microsoft\Ole
   • "EnableRemoteConnect"="N"

– HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server
   • "Enabled"=hex:00

– HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
   • "AutoShareWks"=dword:00000000
   • "AutoShareServer"=dword:00000000

– HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
   • "AllowUnqualifiedQuery"=dword:00000000
   • "PrioritizeRecordData"=dword:00000001
   • "TCP1320Opts"=dword:00000003
   • "KeepAliveTime"=dword:00023280
   • "BcastQueryTimeout"=dword:000002ee
   • "BcastNameQueryCount"=dword:00000001
   • "CacheTimeout"=dword:0000ea60
   • "Size/Small/Medium/Large"=dword:00000003
   • "LargeBufferSize"=dword:00001000
   • "SynAckProtect"=dword:00000002
   • "PerformRouterDiscovery"=dword:00000000
   • "EnablePMTUBHDetect"=dword:00000000
   • "FastSendDatagramThreshold "=dword:00000400
   • "StandardAddressLength "=dword:00000018
   • "DefaultReceiveWindow "=dword:00004000
   • "DefaultSendWindow"=dword:00004000
   • "BufferMultiplier"=dword:00000200
   • "PriorityBoost"=dword:00000002
   • "IrpStackSize"=dword:00000004
   • "IgnorePushBitOnReceives"=dword:00000000
   • "DisableAddressSharing"=dword:00000000
   • "AllowUserRawAccess"=dword:00000000
   • "DisableRawSecurity"=dword:00000000
   • "DynamicBacklogGrowthDelta"=dword:00000032
   • "FastCopyReceiveThreshold"=dword:00000400
   • "LargeBufferListDepth"=dword:0000000a
   • "MaxActiveTransmitFileCount"=dword:00000002
   • "MaxFastTransmit"=dword:00000040
   • "OverheadChargeGranularity"=dword:00000001
   • "SmallBufferListDepth"=dword:00000020
   • "SmallerBufferSize"=dword:00000080
   • "TransmitWorker"=dword:00000020
   • "DNSQueryTimeouts"="1 2 2 4 8 0 "
   • "DefaultRegistrationTTL"=dword:00000014
   • "DisableReplaceAddressesInConflicts"=dword:00000000
   • "DisableReverseAddressRegistrations"=dword:00000001
   • "UpdateSecurityLevel "=dword:00000000
   • "DisjointNameSpace"=dword:00000001
   • "QueryIpMatching"=dword:00000000
   • "NoNameReleaseOnDemand"=dword:00000001
   • "EnableDeadGWDetect"=dword:00000000
   • "EnableFastRouteLookup"=dword:00000001
   • "MaxFreeTcbs"=dword:000007d0
   • "MaxHashTableSize"=dword:00000800
   • "SackOpts"=dword:00000001
   • "Tcp1323Opts"=dword:00000003
   • "TcpMaxDupAcks"=dword:00000001
   • "TcpRecvSegmentSize"=dword:00000585
   • "TcpSendSegmentSize"=dword:00000585
   • "DefaultTTL"=dword:00000030
   • "TcpMaxHalfOpen"=dword:0000004b
   • "TcpMaxHalfOpenRetried"=dword:00000050
   • "TcpTimedWaitDelay"=dword:00000000
   • "MaxNormLookupMemory"=dword:00030d40
   • "FFPControlFlags"=dword:00000001
   • "FFPFastForwardingCacheSize"=dword:00030d40
   • "MaxForwardBufferMemory"=dword:00019df7
   • "MaxFreeTWTcbs"=dword:000007d0
   • "GlobalMaxTcpWindowSize"=dword:0007d200
   • "EnablePMTUDiscovery"=dword:00000001
   • "ForwardBufferMemory"=dword:00019df7

– HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "MaxConnectionsPer1_0Server"=dword:00000050
   • "MaxConnectionsPerServer"=dword:00000050

– HKCU\Software\Microsoft\OLE
   • "Windows APCI Verifier"="dhcpserv.exe"

Urmatoarele chei din registri sunt modificate:

– HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
   Vechea valoare:
   • "TransportBindName"="\Device\"
   Noua valoare:
   • "TransportBindName"=""

Dezactiveaza Windows Firewall:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   Vechea valoare:
   • "Start"=dword:00000003
   Noua valoare:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
   Vechea valoare:
   • "Start"=dword:00000002
   Noua valoare:
   • "Start"=dword:00000004

– HKLM\SYSTEM\ControlSet001\Services\wscsvc
   Vechea valoare:
   • "Start"=dword:00000002
   Noua valoare:
   • "Start"=dword:00000004

– HKLM\SOFTWARE\Microsoft\Ole
   Vechea valoare:
   • "EnableDCOM"="Y"
   Noua valoare:
   • "EnableDCOM"="N"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Vechea valoare:
   • "restrictanonymous"=dword:00000000
   Noua valoare:
   • "restrictanonymous"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
   Vechea valoare:
   • "EnableICMPRedirect"=dword:00000001
   • "EnableSecurityFilters"=dword:00000000
   • "TcpWindowSize"=dword:dword:0000faf0
   Noua valoare:
   • "EnableICMPRedirect"=dword:00000000
   • "EnableSecurityFilters"=dword:00000001
   • "TcpWindowSize"=dword:0007d200

Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Creeaza copii malware in urmatoarele share-uri de retea:
   • IPC$
   • C$
   • ADMIN$

Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

– Lista de utilizatori si parole:
   • zimmerman; zap; yellowstone; xyz; wisconsin; williamsburg; wholesale;
      tty; topography; temptation; telephone; tangerine; sys; supported;
      superuser; superstage; sun; stuttgart; stratford; stephanie;
      signature; sheffield; sal; rochester; rje; rachmaninoff; pub;
      professor; princeton; pondering; polynomial; persimmon; percolate;
      pam; pad; oceanography; nutrition; new; net; mit; mgr; macintosh; liz;
      lee; lamination; kim; key; joy; jen; innocuous; imbroglio; ibm;
      happening; hal; gnu; fun; foresight; foolproof; extension; establish;
      enterprise; elizabeth; eiderdown; edinburgh; dos; dog; discovery;
      desperate; deb; cornelius; commrades; christine; christina; chemistry;
      catherine; cat; campanile; cad; bsd; bob; bicameral; beethoven;
      atmosphere; asm; asd; anthropogenic; ann; andromache; amy; amorphous;
      ama; alf; albatross; ada; h4x0ring; h4x0r1ng; h4x1ng; haxing; hax;
      wh0re; wh0r3; windoze95; windoze98; windozeME; windoze2k; windozexp;
      windows95; windows98; windowsME; windows2k; WindowsXP; billy; windose;
      windoze; windowz; wileecoyote; donaldduck; Alexander; Al3x; dud3;
      dudette; d00d; lol; RoscoPColtrane; RoscoP; Rosco; Ross; testin;
      tester; 00000000; zulu; zombie; zmodem; zimmerma; ziggy; zeitgeis;
      zebra; young; yosemite; yolanda; yellowst; yellow; yankee; yang; yaco;
      xyzzy; xray; xmodem; xmen; xman; xfer; xena; wyoming; wwii; wormwood;
      worm; work; worf; wordperf; word; woodwind; wood; women; wombat;
      woman; wolverin; wolf; wizard; within; wiseass; wisconsi; wired;
      winston; wing; wine; windows; wilma; willie; williams; william; will;
      whore; wholesal; whitney; whiting; white; whisky; whatnot; whatever;
      western; west; werewolf; wendy; wendi; well; weenie; weed; wednesda;
      webpage; wave; water; watchwor; wasp; warren; warp; wargames; warfare;
      warez; ward; waco; vodka; visualba; visual; visitor; virus; virginia;
      virgin; village; videogam; video; victor; vicky; vertigo; veronica;
      venus; vasant; vampire; valerie; vagina; uucp; utility; util; usmc;
      username; usermane; usenet; ursula; urchin; uranus; upload; unlock;
      unknown; universi; universe; universa; uniform; unicorn; unhappy;
      undo; uncle; umesh; ugly; tuttle; turn; tuesday; tubas; truth; true;
      tron; trombone; trojan; trivial; trisha; trek; tree; trapdoor; trap;
      transfer; trails; tracy; tracie; traci; toyota; toxic; tortoise;
      topograp; tomato; tokenrin; token; toggle; toad; tits; tina; time;
      tiger; tiffany; thursday; thin; theresa; thailand; text; tetris; tess;
      terminat; terminal; tera; tennis; temptati; telnet; telephon; teenage;
      teen; tech; tears; teapot; team; taylor; tarragon; target; tara; tape;
      tango; tangerin; tammy; tamie; tami; tamara; tall; talk; tabasco;
      sysop; sysadmin; symmetry; sybil; sword; switch; sweat; swearer;
      suzie; suzanne; susie; susanne; susan; surfing; surfer; supporte;
      support; supervis; superuse; supersta; superson; superman; sunday;
      summer; sucks; suckmydi; suck; success; subway; subscrib; stuttgar;
      strip; string; streetfi; stratfor; strangle; strange; stones; stoned;
      stoneage; steve; stereo; stephani; steph; steel; steal; steak;
      starwars; startup; startrek; start; starship; star; stacy; stacie;
      staci; stacey; sr71; squires; spunk; springer; spring; spred; spit;
      spiderma; spider; spice; spell; spear; sparrows; spaceshi; south;
      source; sossina; sonya; sonic; sonia; sondra; somebody; software;
      soft; sodomy; socrates; social; soap; snoopy; snatch; snake; snafu;
      snach; smut; smtp; smother; smooch; smiles; smile; smart; small; slut;
      slow; sliders; slick; slave; skull; site; single; singer; simulati;
      simpsons; simple; simon; simcity; silver; signatur; sierra; sick;
      shuttle; short; shivers; shiva; shitpot; shit; shirley; shift; sherri;
      shell; sheldon; sheffiel; sharon; sharks; shark; sharc; shannon; sexy;
      sesame; service; serial; serenity; sentry; sentinel; sensor; sega;
      seed; security; search; scout; scotty; scott; scorpion; scifi;
      schoolsucks; school; scheme; scamper; saxon; saturn; saturday; sarah;
      sara; sandy; sandra; sample; samantha; salt; sale; salami; safe; ruth;
      rush; running; rules; rude; ruby; ruben; rubber; rough; roses;
      rosemary; rosebud; rose; ronald; romulan; romeo; romano; rolex;
      rodent; rockyhor; rocky; rock; rocheste; rochelle; robyn; robotics;
      robot; robin; robert; roach; risc; ripple; riot; ring; rightwin;
      right; riffraff; rick; rich; rhino; reveal; resistan; republic;
      report; rent; reno; renee; remote; release; regional; referenc;
      redhead; reddawn; record; rebel; rebecca; rebal; reaper; ream; really;
      reality; reagan; razor; rascal; rape; random; raleigh; raindrop;
      rainbow; rain; raid; rachmani; rachelle; rachel; rabbit; qwerty;
      qwert; quebec; pussy; puppet; punk; punisher; puneet; pumpkin; puke;
      puck; public; psychopa; psycho; protozoa; protect; prompt; program;
      profile; professo; processo; proceed; privs; private; priv; printer;
      princeto; prince; presto; prelude; precious; praise; power; poster;
      post; porsche; porno; porn; pork; poor; poop; ponderin; polynomi;
      polly; police; poetry; plymouth; pluto; plover; playboy; plane; pizza;
      piss; pinname; pimp; pierre; pick; phuck; phreak; phrase; phrack;
      photon; phone; phoenix; philip; phil; peter; pete; pervert; persona;
      persimmo; permit; perfect; percolat; pepper; peoria; pentium;
      penthous; pentagra; pentagon; penname; penis; penguin; penelope;
      pencil; pecker; peanuts; paula; patty; patriot; patricia; paste;
      passphra; pascal; papers; paper; papa; pamela; pakistan; paint;
      painless; packer; packard; pacific; oxford; outside; output; outlaw;
      outdoors; osiris; oscar; orwell; orient; orca; operator; opensesa;
      openlock; opening; omega; olivia; olivetti; oldage; okay; office;
      ocelot; oceanogr; obscurit; nyquist; nuts; nutritio; number; null;
      nukem; nuke; nude; nuclear; noxious; november; novel; nova; noth;
      notes; noreen; node; nobody; noble; nnaacp; nita; nintendo; nightmar;
      night; nicotine; nicole; nice; next; newyork; newton; newsgrou; news;
      newborn; network; netscape; ness; neptune; nepenthe; navy; nasa;
      napoleon; nancy; name; nagel; mutant; muppets; msdos; mpeg; mozart;
      movies; movie; move; mouse; mountain; mosaic; mortgage; mortalco;
      mortal; morris; morley; more; moose; moor; moom; monica; monday;
      moguls; mogul; modem; mode; mkii; mission; misfit; minsky; minimum;
      mine; mike; midieval; microsof; micropro; microchi; micro; mickey;
      michelle; michele; michelan; michel; michael; mice; mets; metalica;
      metalhea; metal; merlin; mercury; menu; menace; memory; member;
      melrose; mellon; melissa; megan; megadeth; megabyte; meagan; maurice;
      math; master; mason; mary; marvin; marty; mars; marriage; marni;
      markus; mark; marines; marijuan; marietta; mariens; maria; marcy;
      marci; mara; manager; mana; malcom; malcolm; maint; mail; magnet;
      magic; maggot; macro; mack; macintos; machine; lynne; lynn; lust;
      luke; lude; lucy; lucus; luck; lover; lovebug; louis; loser; lorraine;
      lorin; lori; lore; loose; lolopc; lois; logout; loginwor; logic;
      lockword; lockout; lock; load; live; literatu; lisp; lisa; lips; lion;
      link; linda; limited; limbaugh; lima; lightsab; light; life; licker;
      lick; library; liberal; lexluthe; lewis; letmein; leslie; lesbian;
      leroy; leland; legal; leftwing; left; lebesgue; leah; lazer; lazarus;
      lava; laura; laser; larry; larkin; lara; laptop; lana; laminati;
      lambda; lakers; ladle; ladies; kristy; kristine; kristin; kristie;
      kristi; kristen; krista; known; knightma; knight; knife; klingon;
      kitten; kissmyas; kiss; kirkland; kirk; king; kimberly; kilo;
      killthem; kill; kids; keyword; keyin; keybord; kewl; kevin; kerry;
      kerrie; kerri; kernel; kermit; keri; kelly; katrina; katina; kathy;
      kathrine; kathleen; kate; katana; karina; karie; karen; kaka; jupiter;
      june; juliet; julie; julia; juicy; juggle; judy; judith; joyce;
      journal; joshua; joseph; johnny; johndoe; john; jody; joanne; jixian;
      jill; jewelry; jester; jessica; jerusale; jerry; jenny; jennifer;
      jenni; jeff; jeanne; jean; jazz; java; jasmin; japan; janie; janice;
      janet; jane; jail; jackie; isis; irishman; irene; invent; integer;
      inside; input; innocuou; inna; ingrid; ingress; ingres; indians;
      indiana; indian; india; include; imperial; immortal; imbrogli; image;
      illumina; icecream; hypertxt; hyper; hydrogen; hutchins; hunter; hunt;
      http; hotel; hotdog; host; horus; horse; horror; horrible; horny;
      hooters; hooker; honey; homework; homer; homepage; hollywoo; holly;
      hole; hits; hitler; highland; high; hidden; hibernia; hiawatha;
      hexadeci; hewlett; heroin; hero; herbert; herb; help; hello; hell;
      heinlein; heidi; hebrides; heather; heathen; heat; headbang; head;
      hawaii; haven; hate; harvey; harold; harmony; harddriv; hardcore;
      hard; happenin; handjob; handily; handel; hamster; hamlet; hallowee;
      hair; hagar; hacked; hack; guntis; gumption; guitar; guess; gucci;
      guardian; gryphon; group; green; great; grant; grand; grahm; graham;
      grades; govermen; gouge; gosling; gorges; gorgeous; good; golfer;
      golf; golden; gold; glacier; girl; ginger; gina; gigabyte; gibson;
      ghost; gertrude; germ; george; gauss; gatt; gatherin; gateway;
      garfield; gardner; games; gabriel; fungible; function; fudge; fuckyou;
      fuckme; fucking; fucker; fuck; fryguy; frog; frighten; friends;
      friend; friday; french; freedom; free; fred; freak; frank; france;
      foxtrot; fourier; forsythe; fornicat; format; form; forever; foresigh;
      ford; force; football; foolproo; fool; food; flowers; flower; florida;
      float; flakes; fishers; firewall; fire; finite; file; fight; field;
      fidelity; ferrari; fermat; fender; felicia; feds; fear; fast; fart;
      faraday; farad; family; false; falcon; faith; fairway; extensio;
      explosiv; explorer; explore; explode; expert; evelyn; euclid;
      eternity; estate; establis; ersatz; erotic; erin; erika; erica; eric;
      erenity; enzyme; enterpri; enter; english; england; engineer; engine;
      enemy; emmanuel; emily; emerald; email; ellen; elizabet; elephant;
      electron; elanor; elaine; einstein; einsiein; eileen; eiderdow;
      egghead; edwina; edwin; educatio; education; edition; edit; edinburg;
      edges; eddie; echo; eatme; easy; easier; earth; eagle; eager; dyke;
      dungeon; duncan; dulce; duke; duelist; dude; duck; drought; drive;
      drdoom; dragon; download; dope; doors; door; doonesbu; doomsday;
      doomii; doom2; doom; dong; dollar; doctor; display; disney; diskette;
      disk; discover; disclose; discipli; disc; dirty; director; direct;
      dipshit; dinosaur; digital; dieter; diet; diehard; dick; dice; diane;
      diana; diamond; dial; device; develop; desperat; desktop; desk;
      desiree; dennis; denise; democrat; deluge; delta; defoe; DEFAULT;
      deck; december; debug; deborah; debbie; deathsta; dead; dawn; dave;
      data; darkaven; dark; dapper; danny; danielle; daniel; dancer; dana;
      daisy; daemon; cynthia; cyberspa; cyberpun; cyber; customer; cunt;
      cshrc; crystal; cristina; criminal; crime; cretin; creosote; credit;
      creature; creation; create; cream; crackpot; crack; cowboy; couscous;
      country; counters; correct; corneliu; copy; cops; copper; cooper;
      cool; cookie; cookbook; cook; continue; console; conserva; connie;
      condom; condo; comrades; comrade; computin; company; commrade; commit;
      comics; combat; color; collins; cold; cola; coke; coin; coffee;
      codeword; codename; code; cock; cocainco; cocacola; coast; clusters;
      cluster; clinton; cleavage; claymore; claudia; classic; classes;
      class; cindy; cigarett; cigar; christy; christin; chris; chip;
      chester; chess; chemistr; chem; chat; charon; charming; charlie;
      charles; charity; change; cerulean; celtics; celtic; celt; cecily;
      cayuga; cave; cathy; catholic; catherin; castle; cash; cascades;
      carson; carrie; caroline; carolina; carole; carol; carmen; carla;
      caren; cardinal; card; capture; captain; cantor; candy; candi;
      camping; campanil; camille; californ; butthead; butt; butch; burn;
      burgess; bung; bumbling; bullshit; bulls; brutefor; brute; brunette;
      brothel; broadway; bridget; brian; brenda; breast; break; bravo;
      brandy; brandi; bradley; boyscout; born; book; boobs; boob; boner;
      bomb; board; blues; blue; blowjob; blow; bloodaxe; blood; blondie;
      blonde; black; bitnet; bitmap; bitch; bishop; bird; bios; binary;
      bill; bigfoot; bicamera; bible; beverly; betty; betsie; beth; beta;
      beryl; berliner; berlin; berkeley; beowulf; benz; beloved; bell;
      behead; begin; beethove; becky; beaver; beauty; beater; beast; bear;
      beammeup; beach; batman; batch; bassoon; bass; basic; baseball;
      bartman; bart; baritone; barf; bare; barber; barbara; banks; bank;
      bandit; bananas; banana; ball; bailey; badass; backdoor; bacchus;
      baby; babe; azure; aztecs; authoriz; attack; atom; atmosphe; athena;
      asshole; asian; artist; arthur; arrow; army; arlene; ariadne; aria;
      april; apollo13; anything; anvils; anthropo; anthrax; answer;
      anonymou; anon; annette; anne; anna; anita; animals; animal; angie;
      angerine; angela; anfo; andy; andromac; android; andrea; anchor;
      anarchy; anarchis; analog; anal; amorphou; america; amber; amanda;
      amadeus; alphabet; allow; allison; alison; alisa; alicia; alice;
      aliases; alias; algebra; alexande; alex; alert; albert; albatros;
      albany; alaska; airplane; aids; aerobics; adult; adrianna; adrian;
      adam; action; account; academic; academia; 000000; 00000; 0000; 000;
      testing; death; xxxxxxxxx; xxxxxxxx; xxxxxxx; xxxxxx; xxxxx; xxxx;
      xxx; guessme; youwontguessme; uwontguessme; mirc; kiddie;
      scriptkiddie; script; hax0r; hacker; l337; l33t; leet; killer; 0wn3d;
      w00t; heaven; spaceman; satanic; satanik; satan; gobo; Matthew; Matt;
      Mat; mypass123; mypass; pw123; admin123; mypc123; mypc; love; pwd;
      login; home; zxcv; yxcv; qwer; secret; asdf; win; test123; abc; aaa;
      crash; fucked; netfuck; irule; owned; 0wned; net-devil; netdevil;
      devil; Nilez; foobar; god; sex; pat; patrick; alpha; 007; 123abc;
      1234qwer; 123123; 121212; 111111; 110; 2600; 2002; enable;
      godblessyou; ihavenopass; 123asd; super; Internet; 123qwe; sybase;
      abc123; abcd; passwd; pass; 88888888; 11111111; 111; 54321; 654321;
      123456789; 12345678; 1234567; 123456; 12345; 1234; 123; temp123;
      Changeme; changeme; linux; unix; LOCAL; pepsi; SERVER; SYSTEM; BACKUP;
      ACCESS; TEST; edu; Owner; OWNER; DEMO; FILES; READ; BOTH; ladeda;
      FULL; WRITE; SHARE; TEMP; PASSWORD; ADMIN; ROOT; GUEST; bla; fubar;
      ADMINISTRATOR; db2; oracle; dba; database; default; guest; wwwadmin;
      teacher; student; owner; computer; root; staff; admin; admins;
      administrat; administrateur; administrador; administrator

Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)
– MS06-040 (Vulnerability in Server Service)
– NetDevil backdoor (port 903)

Generarea adreselor IP:
Creeaza adrese IP aleatoare si incearca sa le contacteze.

Procesul de infectare:
Creeaza un script TFTP pe sistemul afectat, pentru a descarca un malware pe un computer controlat la distanta.
Se creeaza un script FTP in sistemul afectat, pentru a descarcaun malware pe alt computer controlat la distanta.

Activare de la distanta:
–Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: ftp.mdawor**********
Port: 37000
Canal: #(O)W)N(E(D)$$$
Nick: [aapaap]-%numar%

– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Viteza procesorului
    • Utilizatorul curent
    • Informatii despre drivere
    • Spatiu liber pe disc
    • Memorie nealocata
    • Timpul de cand malware-ul a fost lansat in executie
    • Informatii despre retea
    • Informatii despre procesele sistemului
    • Cantitatea de memorie
    • Director sistem
    • Utilizator
    • Informatii despre sistemul de operare

– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • Lanseaza atacuri DDoS ICMP
    • Lanseaza atacuri DDoS SYN
    • Lanseaza atacuri DDoS UDP
    • dezactivare DCOM
    • dezactivarea partajarii de resurse in retea
    • deconectare server IRC
    • descarcare fisier
    • activare DCOM
    • activarea partajarii de resurse in retea
    • executarea unui fisier
    • intrare pe canal IRC
    • terminare proces
    • parasire canal IRC
    • deschidere consola
    • executare atac DDoS
    • Scaneaza reteaua
    • redirectionare porturi
    • Inregistreaza un serviciu
    • repornirea sistemului
    • trimitere email-uri
    • oprierea sistemului
    • terminare proces
    • Se actualizeaza singur
    • Face upload la un fisier
    • Vizitarea unui website

Alte informatii Mutex:
Creeaza urmatorul mutex:
   • lame93d396s

Metode anti-debugging
Verfica daca ruleaza unul din urmatoarele programe:
   • Filemon
   • Regmon
   • SoftIce

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• SVKP

Descripción insertada por Teodor Onisor el viernes 6 de octubre de 2006
Descripción actualizada por Teodor Onisor el jueves 12 de octubre de 2006

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas