Nombre:BDS/Sdbot.A.4
Descubierto:16/10/2007
Tipo:Servidor Backdoor
En circulación (ITW):
Número de infecciones comunicadas:Bajo
Potencial de propagación:Medio
Potencial dañino:Medio
Fichero estático:
Tamaño:192.000 Bytes
Suma de control MD5:15ecf1e5ed645ca952204dae7fe7fd56
Versión del VDF:7.00.00.91
Versión del IVDF:7.00.00.96 - martes 16 de octubre de 2007

 General Método de propagación:
   • Red local


Alias:
   •  Kaspersky: Backdoor.Win32.Rbot.bmo
   •  Sophos: W32/Sdbot-CSV
   •  VirusBuster: Worm.Rbot.IRL
   •  Eset: Win32/Rbot trojan
   •  Bitdefender: Backdoor.Rbot.BMO


Plataformas / Sistemas operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efectos secundarios:
   • Desactiva los programas de seguridad
   • Registra las pulsaciones de teclado
   • Modificaciones en el registro
   • Emplea vulnerabilidades de software
   • Roba informaciones
   • Posibilita el acceso no autorizado al ordenador

 Ficheros Se copia a sí mismo en la siguiente ubicación:
   • %SYSDIR%\IRQconf.exe



Elimina la copia inicial del virus.



Crea los siguientes ficheros:

– c:\a.bat Además, el fichero es ejecutado después de haber sido creado. Detectado como: BAT/REG.Zapchast

– C:\DOCUME~1\name1252\LOCALS~1\Temp\1.reg Además, el fichero es ejecutado después de haber sido creado. Contiene parámetros empleados por el programa malicioso. Detectado como: TR/TCPParams.D.3

 Registro Las siguientes claves del registro se encuentran en un bucle infinito, añadido para ejecutar los procesos al reiniciar el sistema.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "IRQ Assigning Agent"="IRQconf.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "IRQ Assigning Agent"="IRQconf.exe"



Añade la siguiente clave al registro:

– [HKCU\Software\Microsoft\OLE]
   • "IRQ Assigning Agent"="IRQconf.exe"



Modifica las siguientes claves del registro:

Desactiva el cortafuego de Windows:
– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess]
   Valor anterior:
   • Start=dword:00000002
   Nuevo valor:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   Valor anterior:
   • Start=dword:00000002
   Nuevo valor:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Valor anterior:
   • Start=dword:00000002
   Nuevo valor:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Control\Lsa]
   Valor anterior:
   • "restrictanonymous"=%configuración definida por el usuario%
   Nuevo valor:
   • restrictanonymous=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server]
   Nuevo valor:
   • Enabled=hex:00

– [HKLM\SOFTWARE\Microsoft\Ole]
   Valor anterior:
   • EnableDCOM=%configuración definida por el usuario%
   Nuevo valor:
   • EnableDCOM="N"
     EnableRemoteConnect="N"
     

– [HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters]
   Nuevo valor:
   • AutoShareWks=dword:00000000
     AutoShareServer=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Nuevo valor:
   • MaxConnectionsPer1_0Server=dword:00000050
     MaxConnectionsPerServer=dword:00000050

– [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
   Nuevo valor:
   • "NameServer"=""
     "ForwardBroadcasts"=dword:00000000
     "IPEnableRouter"=dword:00000000
     "Domain"=""
     "SearchList"=""
     "UseDomainNameDevolution"=dword:00000001
     "EnableICMPRedirect"=dword:00000000
     "DeadGWDetectDefault"=dword:00000001
     "DontAddDefaultGatewayDefault"=dword:00000000
     "EnableSecurityFilters"=dword:00000001
     "AllowUnqualifiedQuery"=dword:00000000
     "PrioritizeRecordData"=dword:00000001
     "TCP1320Opts"=dword:00000003
     "KeepAliveTime"=dword:00023280
     "BcastQueryTimeout"=dword:000002ee
     "BcastNameQueryCount"=dword:00000001
     "CacheTimeout"=dword:0000ea60
     "Size/Small/Medium/Large"=dword:00000003
     "LargeBufferSize"=dword:00001000
     "SynAckProtect"=dword:00000002
     "PerformRouterDiscovery"=dword:00000000
     "EnablePMTUBHDetect"=dword:00000000
     "FastSendDatagramThreshold "=dword:00000400
     "StandardAddressLength "=dword:00000018
     "DefaultReceiveWindow "=dword:00004000
     "DefaultSendWindow"=dword:00004000
     "BufferMultiplier"=dword:00000200
     "PriorityBoost"=dword:00000002
     "IrpStackSize"=dword:00000004
     "IgnorePushBitOnReceives"=dword:00000000
     "DisableAddressSharing"=dword:00000000
     "AllowUserRawAccess"=dword:00000000
     "DisableRawSecurity"=dword:00000000
     "DynamicBacklogGrowthDelta"=dword:00000032
     "FastCopyReceiveThreshold"=dword:00000400
     "LargeBufferListDepth"=dword:0000000a
     "MaxActiveTransmitFileCount"=dword:00000002
     "MaxFastTransmit"=dword:00000040
     "OverheadChargeGranularity"=dword:00000001
     "SmallBufferListDepth"=dword:00000020
     "SmallerBufferSize"=dword:00000080
     "TransmitWorker"=dword:00000020
     "DNSQueryTimeouts" =%valores hex%
     "DefaultRegistrationTTL"=dword:00000014
     "DisableReplaceAddressesInConflicts"=dword:00000000
     "DisableReverseAddressRegistrations"=dword:00000001
     "UpdateSecurityLevel "=dword:00000000
     "DisjointNameSpace"=dword:00000001
     "QueryIpMatching"=dword:00000000
     "NoNameReleaseOnDemand"=dword:00000001
     "EnableDeadGWDetect"=dword:00000000
     "EnableFastRouteLookup"=dword:00000001
     "MaxFreeTcbs"=dword:000007d0
     "MaxHashTableSize"=dword:00000800
     "SackOpts"=dword:00000001
     "Tcp1323Opts"=dword:00000003
     "TcpMaxDupAcks"=dword:00000001
     "TcpRecvSegmentSize"=dword:00000585
     "TcpSendSegmentSize"=dword:00000585
     "TcpWindowSize"=dword:0007d200
     "DefaultTTL"=dword:00000030
     "TcpMaxHalfOpen"=dword:0000004b
     "TcpMaxHalfOpenRetried"=dword:00000050
     "TcpTimedWaitDelay"=dword:00000000
     "MaxNormLookupMemory"=dword:00030d40
     "FFPControlFlags"=dword:00000001
     "FFPFastForwardingCacheSize"=dword:00030d40
     "MaxForwardBufferMemory"=dword:00019df7
     "MaxFreeTWTcbs"=dword:000007d0
     "GlobalMaxTcpWindowSize"=dword:0007d200
     "EnablePMTUDiscovery"=dword:00000001
     "ForwardBufferMemory"=dword:00019df7

 Infección en la red Para asegurar su propagación, el programa viral intenta conectarse a otros sistemas, tal como se describe a continuación.

Suelta una copia suya en la siguiente carpeta compartida en la red:
   • % all network shares%


Emplea la siguiente información de inicio de sesión para obtener el acceso al sistema remoto:

– Un listado de nombres de usuario y contraseñas:
   • Administrator; administrator; administrador; administrateur;
      administrat; admins; admin; staff; root; computer; owner; student;
      teacher; wwwadmin; guest; default; database; dba; oracle; db2;
      ADMINISTRATOR; Administrator; administrator; fubar; bla; GUEST; ROOT;
      root; ADMIN; PASSWORD; TEMP; SHARE; WRITE; FULL; ladeda; BOTH; READ;
      FILES; DEMO; OWNER; Owner; edu; TEST; ACCESS; USER; BACKUP; SYSTEM;
      SERVER; pepsi; LOCAL; unix; linux; changeme; Changeme; temp123; 31;
      12; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789; 654321;
      54321; 111; 11111111; 88888888; pass; passwd; database; abcd; abc123;
      oracle; sybase; 123qwe; computer; Internet; super; 123asd;
      ihavenopass; godblessyou; enable; xp; 2002; 2003; 2600; 110; 111111;
      121212; 123123; 1234qwer; 123abc; 007; alpha; patrick; pat; sex; god;
      foobar; Nilez; devil; netdevil; net-devil; 0wned; owned; irule;
      netfuck; fucked; crash; aaa; abc; test123; win; pc; asdf; secret;
      qwer; yxcv; zxcv; home; login; pwd; love; mypc; mypc123; admin123;
      pw123; mypass; mypass123; pw; Mat; Matt; Matthew; gobo; satan;
      satanik; satanic; spaceman; heaven; w00t; 0wn3d; killer; leet; l33t;
      l337; hacker; hax0r; script; scriptkiddie; kiddie; mirc; uwontguessme;
      youwontguessme; guessme; ex; xx; xxx; xxxx; xxxxx; xxxxxx; xxxxxxx;
      xxxxxxxx; xxxxxxxxx; 00; death; testing; 000; 0000; 00000; 000000;
      academia; academic; accept; account; action; adam; adrian; adrianna;
      adult; aerobics; aids; airplane; alaska; albany; albatros; albert;
      alert; alex; alexande; algebra; alias; aliases; alice; alicia; alisa;
      alison; allison; allow; alphabet; amadeus; amanda; amber; america;
      amorphou; anal; analog; anarchis; anarchy; anchor; andrea; android;
      andromac; andy; anfo; angela; angerine; angie; animal; animals; anita;
      anna; anne; annette; anon; anonymou; answer; anthrax; anthropo;
      anvils; anything; apollo13; april; aria; ariadne; arlene; army; arrow;
      arthur; artist; asian; asshole; athena; atmosphe; atom; attack;
      authoriz; aztecs; azure; babe; baby; bacchus; backdoor; badass;
      bailey; ball; banana; bananas; bandit; bank; banks; barbara; barber;
      bare; barf; baritone; bart; bartman; baseball; basic; bass; bassoon;
      batch; batman; beach; beammeup; bear; beast; beater; beauty; beaver;
      becky; beethove; begin; behead; bell; beloved; benz; beowulf;
      berkeley; berlin; berliner; beryl; beta; beth; betsie; betty; beverly;
      bible; bicamera; bigfoot; bill; binary; bios; bird; bishop; bitch;
      bitmap; bitnet; black; blonde; blondie; blood; bloodaxe; blow;
      blowjob; blue; blues; board; bomb; boner; boob; boobs; book; born;
      boyscout; bradley; brandi; brandy; bravo; break; breast; brenda;
      brian; bridget; broadway; brothel; brunette; brute; brutefor; bulls;
      bullshit; bumbling; bung; burgess; burn; butch; butt; butthead;
      californ; camille; campanil; camping; candi; candy; cantor; captain;
      capture; card; cardinal; caren; carla; carmen; carol; carole;
      carolina; caroline; carrie; carson; cascades; cash; castle; catherin;
      catholic; cathy; cave; cayuga; cecily; celt; celtic; celtics;
      cerulean; change; charity; charles; charlie; charming; charon; chat;
      chem; chemistr; chess; chester; chip; chris; christin; christy; cigar;
      cigarett; cindy; class; classes; classic; claudia; claymore; cleavage;
      clinton; cluster; clusters; coast; cocacola; cocainco; cock; code;
      codename; codeword; coffee; coin; coke; cola; cold; collins; color;
      combat; comics; commit; commrade; company; computin; comrade;
      comrades; condo; condom; connect; connie; conserva; console; continue;
      cook; cookbook; cookie; cool; cooper; copper; cops; copy; corneliu;
      correct; counters; country; couscous; cowboy; crack; crackpot; cream;
      create; creation; creature; credit; creosote; cretin; crime; criminal;
      cristina; crystal; cshrc; cunt; customer; cyber; cyberpun; cyberspa;
      cynthia; daemon; daisy; dana; dancer; daniel; danielle; danny; dapper;
      dark; darkaven; data; dave; dawn; dead; deathsta; debbie; deborah;
      debug; december; deck; default; DEFAULT; defoe; delta; deluge;
      democrat; denise; dennis; desiree; desk; desktop; desperat; develop;
      device; dial; diamond; diana; diane; dice; dick; diehard; diet;
      dieter; digital; dinosaur; dipshit; direct; director; dirty; disc;
      discipli; disclose; discover; disk; diskette; disney; display; doctor;
      dollar; dong; doom; doom2; doomii; doomsday; doonesbu; door; doors;
      dope; download; dragon; drdoom; drive; drought; duck; dude; duelist;
      duke; dulce; duncan; dungeon; dyke; eager; eagle; earth; easier; easy;
      eatme; echo; eddie; edges; edinburg; edit; edition; education;
      educatio; edwin; edwina; egghead; eiderdow; eileen; einsiein;
      einstein; elaine; elanor; electron; elephant; elizabet; ellen; email;
      emerald; emily; emmanuel; enemy; engine; engineer; england; english;
      enter; enterpri; enzyme; erenity; eric; erica; erika; erin; erotic;
      ersatz; establis; estate; eternity; euclid; evelyn; expert; explode;
      explore; explorer; explosiv; extensio; fairway; faith; falcon; false;
      family; farad; faraday; fart; fast; fear; feds; felicia; fender;
      fermat; ferrari; fidelity; field; fight; file; finite; fire; firewall;
      fishers; flakes; float; florida; flower; flowers; food; fool;
      foolproo; football; force; ford; foresigh; forever; form; format;
      fornicat; forsythe; fourier; foxtrot; france; frank; freak; fred;
      free; freedom; french; friday; friend; friends; frighten; frog;
      fryguy; fuck; fucker; fucking; fuckme; fuckyou; fudge; function;
      fungible; gabriel; games; gardner; garfield; gateway; gatherin; gatt;
      gauss; george; germ; gertrude; ghost; gibson; gigabyte; gina; ginger;
      girl; glacier; gold; golden; golf; golfer; good; gorgeous; gorges;
      gosling; gouge; govermen; grades; graham; grahm; grand; grant; great;
      green; group; gryphon; guardian; gucci; guess; guitar; gumption;
      guntis; hack; hacked; hagar; hair; hallowee; hamlet; hamster; handel;
      handily; handjob; happenin; hard; hardcore; harddriv; harmony; harold;
      harvey; hate; haven; hawaii; head; headbang; heat; heathen; heather;
      hebrides; heidi; heinlein; hell; hello; help; herb; herbert; hero;
      heroin; hewlett; hexadeci; hiawatha; hibernia; hidden; high; highland;
      hitler; hits; hole; holly; hollywoo; homepage; homer; homework; honey;
      hooker; hooters; horny; horrible; horror; horse; horus; host; hotdog;
      hotel; http; hunt; hunter; hutchins; hydrogen; hyper; hypertxt;
      icecream; illumina; image; imbrogli; immortal; imperial; include;
      india; indian; indiana; indians; ingres; ingress; ingrid; inna;
      innocuou; input; inside; integer; invent; irene; irishman; isis;
      jackie; jail; jane; janet; janice; janie; japan; jasmin; java; jazz;
      jean; jeanne; jeff; jenni; jennifer; jenny; jerry; jerusale; jessica;
      jester; jewelry; jill; jixian; joanne; jody; john; johndoe; johnny;
      joseph; joshua; journal; joyce; judith; judy; juggle; juicy; julia;
      julie; juliet; june; jupiter; kaka; karen; karie; karina; katana;
      kate; kathleen; kathrine; kathy; katina; katrina; kelly; keri; kermit;
      kernel; kerri; kerrie; kerry; kevin; kewl; keybord; keyin; keyword;
      kids; kill; killthem; kilo; kimberly; king; kirk; kirkland; kiss;
      kissmyas; kitten; klingon; knife; knight; knightma; known; krista;
      kristen; kristi; kristie; kristin; kristine; kristy; ladies; ladle;
      lakers; lambda; laminati; lana; laptop; lara; larkin; larry; laser;
      laura; lava; lazarus; lazer; leah; lebesgue; left; leftwing; legal;
      leland; leroy; lesbian; leslie; letmein; lewis; lexluthe; liberal;
      library; lick; licker; life; light; lightsab; lima; limbaugh; limited;
      linda; link; lion; lips; lisa; lisp; literatu; live; load; lock;
      lockout; lockword; logic; loginwor; logout; lois; lolopc; loose; lore;
      lori; lorin; lorraine; loser; louis; lovebug; lover; luck; lucus;
      lucy; lude; luke; lust; lynn; lynne; machine; macintos; mack; macro;
      maggot; magic; magnet; mail; maint; malcolm; malcom; mana; manager;
      mara; marci; marcy; maria; mariens; marietta; marijuan; marines; mark;
      markus; marni; marriage; mars; marty; marvin; mary; mason; master;
      math; maurice; meagan; megabyte; megadeth; megan; melissa; mellon;
      melrose; member; memory; menace; menu; mercury; merlin; metal;
      metalhea; metalica; mets; mice; michael; michel; michelan; michele;
      michelle; mickey; micro; microchi; micropro; microsof; midieval; mike;
      mine; minimum; minsky; misfit; mission; mkii; mode; modem; mogul;
      moguls; monday; monica; moom; moor; moose; more; morley; morris;
      mortal; mortalco; mortgage; mosaic; mountain; mouse; move; movie;
      movies; mozart; mpeg; msdos; muppets; mutant; nagel; name; nancy;
      napoleon; nasa; navy; nepenthe; neptune; ness; netscape; network;
      newborn; news; newsgrou; newton; newyork; next; nice; nicole;
      nicotine; night; nightmar; nintendo; nita; nnaacp; noble; nobody;
      node; noreen; notes; noth; nova; novel; november; noxious; nuclear;
      nude; nuke; nukem; null; number; nutritio; nuts; nyquist; obscurit;
      oceanogr; ocelot; office; okay; oldage; olivetti; olivia; omega; open;
      opening; openlock; opensesa; operator; orca; orient; orwell; oscar;
      osiris; outdoors; outlaw; output; outside; oxford; pacific; packard;
      packer; painless; paint; pakistan; pamela; papa; paper; papers;
      pascal; passphra; paste; patricia; patriot; patty; paula; peanuts;
      pecker; pencil; penelope; penguin; penis; penname; pentagon; pentagra;
      penthous; pentium; peoria; pepper; percolat; perfect; permit;
      persimmo; persona; pervert; pete; peter; phil; philip; phoenix; phone;
      photon; phrack; phrase; phreak; phuck; pick; pierre; pimp; pinname;
      piss; pizza; plane; playboy; plover; pluto; plymouth; poetry; police;
      polly; polynomi; ponderin; poop; poor; pork; porn; porno; porsche;
      post; poster; power; praise; precious; prelude; presto; prince;
      princeto; printer; priv; private; privs; proceed; processo; professo;
      profile; program; prompt; protect; protozoa; psycho; psychopa; public;
      puck; puke; pumpkin; puneet; punisher; punk; puppet; pussy; quebec;
      qwert; qwerty; rabbit; rachel; rachelle; rachmani; raid; rain;
      rainbow; raindrop; raleigh; random; rape; rascal; razor; reagan;
      reality; really; ream; reaper; rebal; rebecca; rebel; record; reddawn;
      redhead; referenc; regional; release; remote; renee; reno; rent;
      report; republic; resistan; reveal; rhino; rich; rick; riffraff;
      right; rightwin; ring; riot; ripple; risc; roach; robert; robin;
      robot; robotics; robyn; rochelle; rocheste; rock; rocky; rockyhor;
      rodent; rolex; romano; romeo; romulan; ronald; rose; rosebud;
      rosemary; roses; rough; rubber; ruben; ruby; rude; rules; running;
      rush; ruth; safe; salami; sale; salt; samantha; sample; sandra; sandy;
      sara; sarah; saturday; saturn; saxon; scamper; scheme; school;
      schoolsucks; scifi; scorpion; scott; scotty; scout; search; security;
      seed; sega; sensor; sentinel; sentry; serenity; serial; service;
      sesame; sexy; shannon; sharc; shark; sharks; sharon; sheffiel;
      sheldon; shell; sherri; shift; shirley; shit; shitpot; shiva; shivers;
      short; shuttle; sick; sierra; signatur; silver; simcity; simon;
      simple; simpsons; simulati; singer; single; site; skull; slave; slick;
      sliders; slow; slut; small; smart; smile; smiles; smooch; smother;
      smtp; smut; snach; snafu; snake; snatch; snoopy; soap; social;
      socrates; sodomy; soft; software; somebody; sondra; sonia; sonic;
      sonya; sossina; source; south; spaceshi; sparrows; spear; spell;
      spice; spider; spiderma; spit; spred; spring; springer; spunk;
      squires; sr71; stacey; staci; stacie; stacy; star; starship; start;
      startrek; startup; starwars; steak; steal; steel; steph; stephani;
      stereo; steve; stoneage; stoned; stones; strange; strangle; stratfor;
      streetfi; string; strip; student; stuttgar; subscrib; subway; success;
      suck; suckmydi; sucks; summer; sunday; superman; superson; supersta;
      superuse; supervis; support; supporte; surfer; surfing; susan;
      susanne; susie; suzanne; suzie; swearer; sweat; switch; sword; sybil;
      symmetry; sysadmin; sysop; tabasco; talk; tall; tamara; tami; tamie;
      tammy; tangerin; tango; tape; tara; target; tarragon; taylor; teacher;
      team; teapot; tears; tech; teen; teenage; telephon; telnet; temptati;
      tennis; tera; terminal; terminat; tess; tetris; text; thailand;
      theresa; thin; thursday; tiffany; tiger; time; tina; tits; toad;
      toggle; token; tokenrin; tomato; topograp; tortoise; toxic; toyota;
      traci; tracie; tracy; trails; transfer; trap; trapdoor; tree; trek;
      trisha; trivial; trojan; trombone; tron; true; truth; tubas; tuesday;
      turn; tuttle; ugly; umesh; uncle; undo; unhappy; unicorn; uniform;
      universa; universe; universi; unknown; unlock; upload; uranus; urchin;
      ursula; usenet; usermane; username; usmc; util; utility; uucp; vagina;
      valerie; vampire; vasant; venus; veronica; vertigo; vicky; victor;
      video; videogam; village; virgin; virginia; virus; visitor; visual;
      visualba; vodka; waco; ward; warez; warfare; wargames; warp; warren;
      wasp; watchwor; water; wave; webpage; wednesda; weed; weenie; well;
      wendi; wendy; werewolf; west; western; whatever; whatnot; whisky;
      white; whiting; whitney; wholesal; whore; will; william; williams;
      willie; wilma; windows; wine; wing; winston; wired; wisconsi; wiseass;
      within; wizard; wolf; wolverin; woman; wombat; women; wood; woodwind;
      word; wordperf; worf; work; worm; wormwood; wwii; wyoming; xena; xfer;
      xman; xmen; xmodem; xray; xyzzy; yaco; yang; yankee; yellow; yellowst;
      yolanda; yosemite; young; zebra; zeitgeis; ziggy; zimmerma; zmodem;
      zombie; zulu; 00000000; tester; testin; Ross; Rosco; RoscoP;
      RoscoPColtrane; lol; d00d; dudette; dud3; Al3x; Alexander; donaldduck;
      wileecoyote; windowz; windoze; windose; billy; M$; MS; WindowsXP;
      windows2k; windowsME; windows98; windows95; windozexp; windoze2k;
      windozeME; windoze98; windoze95; wh0r3; ho; wh0re; hax; haxing;
      h4x1ng; h4x0r1ng; h4x0ring; ada; albatross; alf; ama; amorphous; amy;
      andromache; ann; anthropogenic; asd; asm; atmosphere; beethoven;
      bicameral; bob; bsd; cad; campanile; cat; catherine; chemistry;
      christina; christine; commrades; cornelius; deb; desperate; discovery;
      dog; dos; edinburgh; eiderdown; elizabeth; enterprise; establish;
      extension; foolproof; foresight; fun; gnu; hal; happening; ibm;
      imbroglio; innocuous; jen; joy; key; kim; lamination; lee; liz;
      macintosh; mgr; mit; net; new; nutrition; oceanography; pad; pam;
      percolate; persimmon; polynomial; pondering; princeton; professor;
      pub; rachmaninoff; rje; rochester; sal; sheffield; signature;
      stephanie; stratford; stuttgart; sun; superstage; superuser;
      supported; sys; tangerine; telephone; temptation; topography; tty;
      wholesale; williamsburg; wisconsin; xyz; yellowstone; zap; zimmerman



Exploit:
Emplea la siguiente brecha de seguridad:
– MS06-040 (Vulnerability in Server Service)
– Puerta trasera NetDevil (puerto 903)


Proceso de infección:
Crea un script TFTP en el sistema afectado, para descargar el programa viral en la ubicación remota.


Ejecución remota:
–Intenta programar una ejecución remota del programa viral, en la máquina recién infectada. Por eso emplea la función NetScheduleJobAdd.

 IRC Para enviar informaciones y proporcionar control remoto, se conecta al siguiente servidor IRC:

Servidor: 100.FelonyProductions.**********
Puerto: 8372
Canal: #$$$$#
Apodo: soldier
Contraseña: og


– Además puede efectuar las siguientes operaciones:
    • conectarse al servidor IRC
    • Desactivar la opción de compartir recursos en la red
    • desconectarse del servidor IRC
    • Descargar fichero
    • Activar la opción para compartir recursos en la red
    • Ingresar a un canal IRC
    • Salir del canal IRC
    • Ejecutar ataque DDoS
    • Redirigir puertos
    • Iniciar la rutina de propagación
    • Se actualiza solo

 Robo de informaciones – Monitoriza la red mediante un sniffer y busca las siguientes series de caracteres:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

– Se inicia una rutina de creación de ficheros log después de teclear el siguiente texto:
   • paypal

– Captura:
    • Pulsaciones de teclado

– Después de visitar el siguiente sitio web, se crea una rutina para generar ficheros de informe:
   • paypal.com

– Captura:
    • Informaciones para iniciar sesión

 Informaciones diversas Objeto mutex:
Crea el siguiente objeto mutex:
   • 7x4556326

 Datos del fichero Lenguaje de programación:
 El programa de malware ha sido escrito en MS Visual C++.


Programa de compresión de ejecutables:
Para agravar la detección y reducir el tamaño del fichero, emplea un programa de compresión de ejecutables.

Descripción insertada por Ana Maria Niculescu el jueves 22 de noviembre de 2007
Descripción actualizada por Ana Maria Niculescu el viernes 23 de noviembre de 2007

Volver . . . .