Nume:Worm/RBo.20480.12.A
Descoperit pe data de:05/05/2008
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:20.480 Bytes
MD5:0A9b70150A5b4de8895b459776580Dc6
Versiune VDF:7.0.04.017
Versiune IVDF:7.0.04.018

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Trojan.Win32.Mondera.gen


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Blocheaza accesul la anumite website-uri
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Descarca un fisier
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\msninbox.exe



Sterge copia initiala a virusului.

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • MSN Messenger Inbox Loader="msninbox.exe"

 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: nagasaki.japancorporation.**********
Port: 9103
Parola serverului: su1c1d3
Canal: #net
Nick: \00\USA\%sir de 10 caractere aleatoare%
Parola: n3t!



– Acest malware poate obtine si trimite infomatii cum ar fi:
    • ID-ul platformei
    • Informatii despre sistemul de operare


– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • descarcare fisier
    • editare registru sistem
    • executarea unui fisier
    • parasire canal IRC
    • Vizitarea unui website

 Fisiere host Fisierul

– In acest caz, inregistrarile existente sunt sterse.

– Accesul la urmatoarele domenii este blocat:
   • 127.0.0.1 jayloden.com; 127.0.0.1 www.jayloden.com;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 spywareinfo.com;
      127.0.0.1 www.spybot.info; 127.0.0.1 spybot.info;
      127.0.0.1 kaspersky.com; 127.0.0.1 kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.majorgeeks.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 symantec.com; 127.0.0.1 www.symantec.com;
      127.0.0.1 updates.symantec.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 sophos.com; 127.0.0.1 www.virustotal.com;
      127.0.0.1 virustotal.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 mcafee.com; 127.0.0.1 rads.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 dispatch.mcafee.com; 127.0.0.1 us.mcafee.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 trendsecure.com;
      127.0.0.1 www.viruslist.com; 127.0.0.1 viruslist.com;
      127.0.0.1 www.hijackthis.de; 127.0.0.1 hijackthis.de;
      127.0.0.1 f-secure.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 Merijn.org; 127.0.0.1 www.Merijn.org; 127.0.0.1 www.avp.com;
      127.0.0.1 avp.com; 127.0.0.1 analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.bleepingcomputer.com; 127.0.0.1 bleepingcomputer.com;
      127.0.0.1 trendmicro.com; 127.0.0.1 www.trendmicro.com;
      127.0.0.1 www.safer-networking.org; 127.0.0.1 safer-networking.org;
      127.0.0.1 grisoft.com; 127.0.0.1 www.grisoft.com




Fisierul hosts modificat va arata astfel:


 Injectarea codului malware in alte procese – Se injecteaza intr-un proces.

    Numele procesului:
   • Explorer.exe


 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • UPX

Descripción insertada por Monica Ghitun el jueves 7 de agosto de 2008
Descripción actualizada por Monica Ghitun el jueves 7 de agosto de 2008

Volver . . . .