¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:Worm/Scano.H
Date discovered:07/09/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:18.004 Bytes
MD5 checksum:9ede491e633d75a3231130736f730459
VDF version:6.35.01.192
IVDF version:6.35.01.196 - Friday, September 8, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: W32.Beagle.EG@mm
   •  Mcafee: W32/Areses.h
   •  TrendMicro: WORM_ARESES.AC
   •  Sophos: W32/Areses-C
   •  VirusBuster: I-Worm.Scano.G
   •  Eset: Win32/Scano.R

It was previously detected as:
     W32/Areses.H


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\csrss.exe



It copies itself within an archive to the following location:
   • %TEMPDIR%\Message.zip




It tries to download some files:

The location is the following:
   • http://207.46.250.119/g/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://www.microsoft.com/g/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://84.22.161.192/s/**********
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe
   • "Debugger"="%WINDIR%\csrss.exe"



The values of the following registry keys are removed:

–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\
   PendingFileRenameOperations
–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • ????????, ??? ???? ????
   • ?????
   • ??????, ?? ????
   • ??????, ?????? ???!!!
   • ??????! ?????? ?????? ?!
   • ??!
   • ?????
   • Re: ?????? ???!
   • Re: ??????? ???!
   • Re: ?? ????
   • Re: ????? ?? ??? ???????
   • Re: ??? ???????????
   • Re: ??? ???????????



Body:
–  In some cases it may be empty.


The body of the email is one of the lines:
   • ??????! ? ??????? ??? ??
   • ??????? ? ????????? ??
   • ????? ??? ?????????
   • ????????!!! ??? ????????


Attachment:
The filename of the attachment is one of the following:
   • Message.zip
   • File.zip
   • Document.zip
   • README.zip
   • Passwords.zip
   • Readme.zip
   • Important.zip
   • New.zip
   • COOL.zip
   • Archive.zip
   • Fotos.zip
   • private.zip
   • confidential.zip
   • secret.zip
   • images.zip
   • your_documents.zip
   • backup.zip

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .adb; .asp; .cfg; .cgi; .mra; .dbx; .dhtm; .eml; .htm; .html; .jsp;
      .mbx; .mdx; .mht; .mmf; .msg; .nch; .ods; .oft; .php; .pl; .sht;
      .shtm; .stm; .tbb; .txt; .uin; .wab; .wsh; .xls; .xml; .dhtml


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @microsoft; rating@; f-secur; news; update; .qmail; .gif; anyone@;
      bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
      0000; Mailer-Daemon@; @subscribe; kasp; admin; icrosoft; support;
      ntivi; unix; bsd; linux; listserv; certific; torvalds@; sopho; @foo;
      @iana; free-av; @messagelab; winzip; google; winrar; samples; spm111@;
      .00; abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@

 Injection –  It injects the following file into a process: %WINDIR%\csrss.exe

    All of the following processes:
   • services.exe
   • svchost.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descripción insertada por Irina Boldea el lunes 28 de agosto de 2006
Descripción actualizada por Irina Boldea el martes 3 de octubre de 2006

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.