Nume:Worm/Rbot.aeu.79
Descoperit pe data de:05/12/2005
Tip:Vierme
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:137.216 Bytes
MD5:6302b23450e976db2791c5b874d67755
Versiune VDF:6.32.01.08

 General Metode de raspandire:
   • Reteaua locala
   • Discuri de retea mapate


Alias:
   •  Kaspersky: Backdoor.Win32.Rbot.aeu
   •  TrendMicro: WORM_RBOT.DBE
   •  F-Secure: W32/Sdbot.NOU
   •  Bitdefender: Backdoor.IRCBot.DI


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Reduce setarile de securitate
   • Inregistreaza intrarile de la tastatura
   • Modificari in registri
   • Profita de vulnerabilitatile softului
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\servic.exe

 Registrii sistemului Urmatoarele chei sunt adaugate in registri, in mod repetat, pentru a asigura pornirea procesului dupa reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Update 32"="servic.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Update 32"="servic.exe"



Se adauga in registrii sistemului:

– [HKCU\Software\Microsoft\OLE]
   • "Microsoft Update 32"="servic.exe"



Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Vechea valoare:
   • "EnableDCOM"=%setarile utilizatorului%
   Noua valoare:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Vechea valoare:
   • "restrictanonymous"=%setarile utilizatorului%
   Noua valoare:
   • "restrictanonymous"=dword:00000001

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Creeaza copii malware in urmatoarele share-uri de retea:
   • IPC$
   • C$
   • C$\windows\system32
   • c$\winnt\system32
   • ADMIN$
   • ADMIN$\system32


Foloseste urmatoarele date de logare, pentru a controla sistemul la distanta:

–Utilizatori si parole inregistrate.

– Lista de utilizatori si parole:
   • 007; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
      12345678; 123456789; 1234567890; access; accounting; accounts; adm;
      admin; admin; administrador; administrador; administrat; administrat;
      administrateur; administrateur; administrator; administrator; admins;
      admins; asd; backup; bill; bitch; blank; bob; bob; brian; changeme;
      chris; cisco; compaq; computer; control; data; database; database;
      databasepass; databasepassword; db1; db1234; db2; db2; dba; dbpass;
      dbpassword; default; default; dell; demo; domain; domainpass;
      domainpassword; eric; exchange; fred; fuck; george; god; guest; guest;
      hell; hello; home; homeuser; ian; ibm; internet; internet; intranet;
      jen; joe; john; kate; katie; lan; lee; linux; login; loginpass; luke;
      mail; main; mary; mike; neil; nokia; none; null; oem; oeminstall;
      oemuser; office; oracle; oracle; orainstall; outlook; owner; pass;
      pass1234; passwd; password; password1; peter; peter; pwd; qaz; qwe;
      qwerty; root; root; sam; server; sex; siemens; slut; sql;
      sqlpassoainstall; staff; staff; student; student; sue; susan; system;
      teacher; teacher; technical; test; unix; user; web; win2000; win2k;
      win98; windows; winnt; winpass; winxp; www; wwwadmin; zxc



Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS02-018 (Patch for Internet Information Service)
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– Bagle backdoor (port 2745)
– Kuang backdoor (port 17300)
– Mydoom backdoor (port 3127)
– NetDevil backdoor (port 903)
– Optix backdoor (port 3140)
– SubSeven backdoor (port 27347)
– Administrare remote DameWare (port 6129)


Generarea adreselor IP:
Creeaza adrese IP aleatoare si incearca sa le contacteze.


Procesul de infectare:
Creeaza un script TFTP sau FTP pe masina afectata, pentru a descarca malware la distanta, pe un alt sistem.
Fisierul descarcat este salvat pe masina infectata, cu numele: %radacina partitiei Windows%\a.exe


Activare de la distanta:
–Incearca sa activeze de la distanta malware-ul pe sistemul recent infectat. Pentru aceasta, apeleaza functia NetScheduleJobAdd.

 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverul IRC:

Server: irc.ku**********.net
Port: 1982
Canal: #.r3ptile
Nick: %combinatie de caractere aleatoare%
Parola: h4s



– Acest malware poate obtine si trimite infomatii cum ar fi:
    • Parole retinute
    • Captura ecranului
    • Captura imagine de pe webcam
    • Adresele de email colectate
    • Viteza procesorului
    • Utilizatorul curent
    • Informatii despre drivere
    • Spatiu liber pe disc
    • Memorie nealocata
    • Timpul de cand malware-ul a fost lansat in executie
    • Informatii despre retea
    • ID-ul platformei
    • Informatii despre procesele sistemului
    • Cantitatea de memorie
    • Director sistem
    • Utilizator
    • Activitatea utilizatorilor locali
    • Directorul Windows
    • Informatii despre sistemul de operare


– In plus, poate efectua urmatoarele operatii:
    • conectare server IRC
    • Lanseaza atacuri DDoS ICMP
    • Lanseaza atacuri DDoS SYN
    • Lanseaza atacuri DDoS TCP
    • Lanseaza atacuri DDoS UDP
    • dezactivare DCOM
    • dezactivarea partajarii de resurse in retea
    • deconectare server IRC
    • descarcare fisier
    • editare registru sistem
    • activare DCOM
    • activarea partajarii de resurse in retea
    • executarea unui fisier
    • intrare pe canal IRC
    • terminare proces
    • parasire canal IRC
    • deschidere consola
    • executare atac DDoS
    • Scaneaza reteaua
    • redirectionare porturi
    • Inregistreaza un serviciu
    • repornirea sistemului
    • trimitere email-uri
    • oprierea sistemului
    • Porneste keylog
    • Porneste rutina de raspandire
    • terminare proces malware
    • terminare proces
    • Se actualizeaza singur
    • Face upload la un fisier
    • Vizitarea unui website

 Terminarea proceselor Lista cu procesele oprite:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; ADAWARE.EXE; ADVXDWIN.EXE;
      AGENTSVR.EXE; AGENTW.EXE; ALERTSVC.EXE; ALEVIR.EXE; ALOGSERV.EXE;
      AMON9X.EXE; ANTI-TROJAN.EXE; ANTIVIRUS.EXE; ANTS.EXE; APIMONITOR.EXE;
      APLICA32.EXE; APVXDWIN.EXE; ARR.EXE; ATCON.EXE; ATGUARD.EXE;
      ATRO55EN.EXE; ATUPDATER.EXE; ATUPDATER.EXE; ATWATCH.EXE; AU.EXE;
      AUPDATE.EXE; AUPDATE.EXE; AUTODOWN.EXE; AUTODOWN.EXE;
      AUTO-PROTECT.NAV80TRY.EXE; AUTOTRACE.EXE; AUTOTRACE.EXE;
      AUTOUPDATE.EXE; AUTOUPDATE.EXE; AVCONSOL.EXE; AVE32.EXE; AVGCC32.EXE;
      AVGCTRL.EXE; AVGNT.EXE; AVGSERV.EXE; AVGSERV9.EXE; AVGUARD.EXE;
      AVGW.EXE; AVKPOP.EXE; AVKSERV.EXE; AVKSERVICE.EXE; AVKWCTl9.EXE;
      AVLTMAIN.EXE; AVNT.EXE; AVP.EXE; AVP32.EXE; AVPCC.EXE; AVPDOS32.EXE;
      AVPM.EXE; AVPTC32.EXE; AVPUPD.EXE; AVPUPD.EXE; AVSCHED32.EXE;
      AVSYNMGR.EXE; AVWIN95.EXE; AVWINNT.EXE; AVWUPD.EXE; AVWUPD32.EXE;
      AVWUPD32.EXE; AVWUPSRV.EXE; AVXMONITOR9X.EXE; AVXMONITORNT.EXE;
      AVXQUAR.EXE; AVXQUAR.EXE; BACKWEB.EXE; BARGAINS.EXE; bbeagle.exe;
      BD_PROFESSIONAL.EXE; BEAGLE.EXE; BELT.EXE; BIDEF.EXE; BIDSERVER.EXE;
      BIPCP.EXE; BIPCPEVALSETUP.EXE; BISP.EXE; BLACKD.EXE; BLACKICE.EXE;
      BLSS.EXE; BOOTCONF.EXE; BOOTWARN.EXE; BORG2.EXE; BPC.EXE; BRASIL.EXE;
      BS120.EXE; BUNDLE.EXE; BVT.EXE; CCAPP.EXE; CCEVTMGR.EXE; CCPXYSVC.EXE;
      CDP.EXE; CFD.EXE; CFGWIZ.EXE; CFIADMIN.EXE; CFIAUDIT.EXE;
      CFIAUDIT.EXE; CFINET.EXE; CFINET32.EXE; Claw95.EXE; CLAW95CF.EXE;
      CLAW95CF.EXE; CLEAN.EXE; CLEANER.EXE; CLEANER3.EXE; CLEANPC.EXE;
      CLICK.EXE; CMD32.EXE; CMESYS.EXE; CMGRDIAN.EXE; CMON016.EXE;
      CONNECTIONMONITOR.EXE; CPD.EXE; CPF9X206.EXE; CPFNT206.EXE; CTRL.EXE;
      CV.EXE; CWNB181.EXE; CWNTDWMO.EXE; d3dupdate.exe; DACKWIN32.EXE;
      DATEMANAGER.EXE; DCOMX.EXE; DEFALERT.EXE; DEFSCANGUI.EXE;
      DEFWATCH.EXE; DEPUTY.EXE; DIVX.EXE; DLLCACHE.EXE; DLLREG.EXE;
      DOORS.EXE; DPF.EXE; DPFSETUP.EXE; DPPS2.EXE; DRWATSON.EXE;
      DRWEB32.EXE; DRWEBUPW.EXE; DSSAGENT.EXE; DVP95.EXE; DVP95_0.EXE;
      ECENGINE.EXE; EFPEADM.EXE; EMSW.EXE; ENT.EXE; ESAFE.EXE; ESCANH95.EXE;
      ESCANHNT.EXE; ESCANV95.EXE; ESPWATCH.EXE; ETHEREAL.EXE;
      ETRUSTCIPE.EXE; EVPN.EXE; EXANTIVIRUS-CNET.EXE; EXE.AVXW.EXE;
      EXPERT.EXE; EXPLORE.EXE; F-AGNT95.EXE; F-AGOBOT.EXE; FAMEH32.EXE;
      FAST.EXE; FCH32.EXE; FIH32.EXE; FINDVIRU.EXE; FIREWALL.EXE;
      FLOWPROTECTOR.EXE; FNRB32.EXE; FPROT.EXE; F-PROT.EXE; F-PROT95.EXE;
      FP-WIN.EXE; FP-WIN_TRIAL.EXE; FRW.EXE; FSAA.EXE; FSAV.EXE; FSAV32.EXE;
      FSAV530STBYB.EXE; FSAV530WTBYB.EXE; FSAV95.EXE; FSGK32.EXE; FSM32.EXE;
      FSMA32.EXE; FSMB32.EXE; F-STOPW.EXE; GATOR.EXE; GBMENU.EXE;
      GBPOLL.EXE; GENERICS.EXE; GMT.EXE; GUARD.EXE; GUARDDOG.EXE;
      HACKTRACERSETUP.EXE; HBINST.EXE; HBSRV.EXE; HIJACKTHIS.EXE;
      HOTACTIO.EXE; HOTPATCH.EXE; HTLOG.EXE; HTPATCH.EXE; HWPE.EXE;
      HXDL.EXE; HXIUL.EXE; i11r54n4.exe; IAMAPP.EXE; IAMSERV.EXE;
      IAMSTATS.EXE; IBMASN.EXE; IBMAVSP.EXE; ICLOAD95.EXE; ICLOADNT.EXE;
      ICMON.EXE; ICSUPP95.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IDLE.EXE;
      IEDLL.EXE; IEDRIVER.EXE; IEXPLORER.EXE; IFACE.EXE; IFW2000.EXE;
      INETLNFO.EXE; INFUS.EXE; INFWIN.EXE; INIT.EXE; INTDEL.EXE; INTREN.EXE;
      IOMON98.EXE; IPARMOR.EXE; IRIS.EXE; irun4.exe; ISASS.EXE; ISRV95.EXE;
      ISTSVC.EXE; JAMMER.EXE; JDBGMRG.EXE; JEDI.EXE; KAVLITE40ENG.EXE;
      KAVPERS40ENG.EXE; KAVPF.EXE; KAZZA.EXE; KEENVALUE.EXE;
      KERIO-PF-213-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERNEL32.EXE; KILLPROCESSSETUP161.EXE;
      LAUNCHER.EXE; LDNETMON.EXE; LDPRO.EXE; LDPROMENU.EXE; LDSCAN.EXE;
      LNETINFO.EXE; LOADER.EXE; LOCALNET.EXE; LOCKDOWN.EXE;
      LOCKDOWN2000.EXE; LOOKOUT.EXE; LORDPE.EXE; LSETUP.EXE; LUALL.EXE;
      LUALL.EXE; LUAU.EXE; LUCOMSERVER.EXE; LUINIT.EXE; LUSPT.EXE;
      MAPISVC32.EXE; MCAGENT.EXE; MCMNHDLR.EXE; MCSHIELD.EXE; MCTOOL.EXE;
      MCUPDATE.EXE; MCUPDATE.EXE; MCVSRTE.EXE; MCVSSHLD.EXE; MD.EXE;
      MFIN32.EXE; MFW2EN.EXE; MFWENG3.02D30.EXE; MGAVRTCL.EXE; MGAVRTE.EXE;
      MGHTML.EXE; MGUI.EXE; MINILOG.EXE; MMOD.EXE; MONITOR.EXE; MOOLIVE.EXE;
      MOSTAT.EXE; MPFAGENT.EXE; MPFSERVICE.EXE; MPFTRAY.EXE; MRFLUX.EXE;
      MSAPP.EXE; MSBB.EXE; MSBLAST.EXE; MSCACHE.EXE; MSCCN32.EXE;
      MSCMAN.EXE; MSCONFIG.EXE; mscvb32.exe; MSDM.EXE; MSDOS.EXE;
      MSIEXEC16.EXE; MSINFO32.EXE; MSLAUGH.EXE; MSMGT.EXE; MSMSGRI32.EXE;
      MSSMMC32.EXE; MSSYS.EXE; MSVXD.EXE; MU0311AD.EXE; MWATCH.EXE;
      N32SCANW.EXE; NAV.EXE; NAVAP.NAVAPSVC.EXE; NAVAPSVC.EXE; NAVAPW32.EXE;
      NAVDX.EXE; NAVENGNAVEX15.NAVLU32.EXE; NAVLU32.EXE; NAVNT.EXE;
      NAVSTUB.EXE; NAVW32.EXE; NAVWNT.EXE; NC2000.EXE; NCINST4.EXE;
      NDD32.EXE; NEOMONITOR.EXE; NEOWATCHLOG.EXE; NETARMOR.EXE; NETD32.EXE;
      NETINFO.EXE; NETMON.EXE; NETSCANPRO.EXE; NETSPYHUNTER-1.2.EXE;
      NETSTAT.EXE; NETUTILS.EXE; NISSERV.EXE; NISUM.EXE; NMAIN.EXE;
      NOD32.EXE; NORMIST.EXE; NORTON_INTERNET_SECU_3.0_407.EXE;
      NOTSTART.EXE; NPF40_TW_98_NT_ME_2K.EXE; NPFMESSENGER.EXE;
      NPROTECT.EXE; NPSCHECK.EXE; NPSSVC.EXE; NSCHED32.EXE; NSSYS32.EXE;
      NSTASK32.EXE; NSUPDATE.EXE; NT.EXE; NTRTSCAN.EXE; NTVDM.EXE;
      NTXconfig.EXE; NUI.EXE; NUPGRADE.EXE; NUPGRADE.EXE; NVARCH16.EXE;
      NVC95.EXE; NVSVC32.EXE; NWINST4.EXE; NWSERVICE.EXE; NWTOOL16.EXE;
      OLLYDBG.EXE; ONSRVR.EXE; OPTIMIZE.EXE; OSTRONET.EXE; OTFIX.EXE;
      OUTPOST.EXE; OUTPOST.EXE; OUTPOSTINSTALL.EXE; OUTPOSTPROINSTALL.EXE;
      PADMIN.EXE; PandaAVEngine.exe; PANIXK.EXE; PATCH.EXE; PAVCL.EXE;
      PAVPROXY.EXE; PAVSCHED.EXE; PAVW.EXE; PCC2002S902.EXE;
      PCC2K_76_1436.EXE; PCCIOMON.EXE; PCCNTMON.EXE; PCCWIN97.EXE;
      PCCWIN98.EXE; PCDSETUP.EXE; PCFWALLICON.EXE; PCIP10117_0.EXE;
      PCSCAN.EXE; PDSETUP.EXE; PENIS.EXE; Penis32.exe; PERISCOPE.EXE;
      PERSFW.EXE; PERSWF.EXE; PF2.EXE; PFWADMIN.EXE; PGMONITR.EXE;
      PINGSCAN.EXE; PLATIN.EXE; POP3TRAP.EXE; POPROXY.EXE; POPSCAN.EXE;
      PORTDETECTIVE.EXE; PORTMONITOR.EXE; POWERSCAN.EXE; PPINUPDT.EXE;
      PPTBC.EXE; PPVSTOP.EXE; PRIZESURFER.EXE; PRMT.EXE; PRMVR.EXE;
      PROCDUMP.EXE; PROCESSMONITOR.EXE; PROCEXPLORERV1.0.EXE;
      PROGRAMAUDITOR.EXE; PROPORT.EXE; PROTECTX.EXE; PSPF.EXE; PURGE.EXE;
      PUSSY.EXE; PVIEW95.EXE; QCONSOLE.EXE; QSERVER.EXE; RAPAPP.EXE;
      rate.exe; RAV7.EXE; RAV7WIN.EXE; RAV8WIN32ENG.EXE; RAY.EXE; RB32.EXE;
      RCSYNC.EXE; REALMON.EXE; REGED.EXE; REGEDIT.EXE; REGEDT32.EXE;
      RESCUE.EXE; RESCUE32.EXE; RRGUARD.EXE; RSHELL.EXE; RTVSCAN.EXE;
      RTVSCN95.EXE; RULAUNCH.EXE; RUN32DLL.EXE; RUNDLL.EXE; RUNDLL16.EXE;
      RUXDLL32.EXE; SAFEWEB.EXE; SAHAGENT.EXE; SAVE.EXE; SAVENOW.EXE;
      SBSERV.EXE; SC.EXE; SCAM32.EXE; SCAN32.EXE; SCAN95.EXE; SCANPM.EXE;
      SCRSCAN.EXE; SCRSVR.EXE; SCVHOST.EXE; SD.EXE; SERV95.EXE; SERVICE.EXE;
      SERVLCE.EXE; SERVLCES.EXE; SETUP_FLOWPROTECTOR_US.EXE;
      SETUPVAMEEVAL.EXE; SFC.EXE; SGSSFW32.EXE; SH.EXE; SHELLSPYINSTALL.EXE;
      SHN.EXE; SHOWBEHIND.EXE; SMC.EXE; SMS.EXE; SMSS32.EXE; SOAP.EXE;
      SOFI.EXE; SPERM.EXE; SPF.EXE; SPHINX.EXE; SPOLER.EXE; SPOOLCV.EXE;
      SPOOLSV32.EXE; SPYXX.EXE; SREXE.EXE; SRNG.EXE; SS3EDIT.EXE; ssate.exe;
      SSG_4104.EXE; SSGRATE.EXE; ST2.EXE; START.EXE; STCLOADER.EXE;
      SUPFTRL.EXE; SUPPORT.EXE; SUPPORTER5.EXE; SVC.EXE; SVCHOSTC.EXE;
      SVCHOSTS.EXE; SVSHOST.EXE; SWEEP95.EXE;
      SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SYMPROXYSVC.EXE; SYMTRAY.EXE;
      SYSEDIT.EXE; sysinfo.exe; SysMonXP.exe; SYSTEM.EXE; SYSTEM32.EXE;
      SYSUPD.EXE; TASKMG.EXE; TASKMO.EXE; TASKMON.EXE; TAUMON.EXE;
      TBSCAN.EXE; TC.EXE; TCA.EXE; TCM.EXE; TDS2-98.EXE; TDS2-NT.EXE;
      TDS-3.EXE; TEEKIDS.EXE; TFAK.EXE; TFAK5.EXE; TGBOB.EXE; TITANIN.EXE;
      TITANINXP.EXE; TRACERT.EXE; TRICKLER.EXE; TRJSCAN.EXE; TRJSETUP.EXE;
      TROJANTRAP3.EXE; TSADBOT.EXE; TVMD.EXE; TVTMD.EXE; UNDOBOOT.EXE;
      UPDAT.EXE; UPDATE.EXE; UPDATE.EXE; UPGRAD.EXE; UTPOST.EXE;
      VBCMSERV.EXE; VBCONS.EXE; VBUST.EXE; VBWIN9X.EXE; VBWINNTW.EXE;
      VCSETUP.EXE; VET32.EXE; VET95.EXE; VETTRAY.EXE; VFSETUP.EXE;
      VIR-HELP.EXE; VIRUSMDPERSONALFIREWALL.EXE; VNLAN300.EXE; VNPC3000.EXE;
      VPC32.EXE; VPC42.EXE; VPFW30S.EXE; VPTRAY.EXE; VSCAN40.EXE;
      VSCENU6.02D30.EXE; VSCHED.EXE; VSECOMR.EXE; VSHWIN32.EXE;
      VSISETUP.EXE; VSMAIN.EXE; VSMON.EXE; VSSTAT.EXE; VSWIN9XE.EXE;
      VSWINNTSE.EXE; VSWINPERSE.EXE; W32DSM89.EXE; W9X.EXE; WATCHDOG.EXE;
      WEBDAV.EXE; WEBSCANX.EXE; WEBTRAP.EXE; WFINDV32.EXE; WGFE95.EXE;
      WHOSWATCHINGME.EXE; WIMMUN32.EXE; WIN32.EXE; WIN32US.EXE;
      WINACTIVE.EXE; WIN-BUGSFIX.EXE; WINDOW.EXE; WINDOWS.EXE; WININETD.EXE;
      WININIT.EXE; WININITX.EXE; WINLOGIN.EXE; WINMAIN.EXE; WINNET.EXE;
      WINPPR32.EXE; WINRECON.EXE; WINSERVN.EXE; WINSSK32.EXE; WINSTART.EXE;
      WINSTART001.EXE; winsys.exe; WINTSK32.EXE; winupd.exe; WINUPDATE.EXE;
      WKUFIND.EXE; WNAD.EXE; WNT.EXE; WRADMIN.EXE; WRCTRL.EXE; WSBGATE.EXE;
      WUPDATER.EXE; WUPDT.EXE; WYVERNWORKSFIREWALL.EXE; XPF202EN.EXE;
      ZAPRO.EXE; ZAPSETUP3001.EXE; ZATUTOR.EXE; ZONALM2601.EXE;
      ZONEALARM.EXE


 Furt de informatii Incearca sa obtina urmatoarele informatii:
– Windows Product ID

– Urmatoarele CD-keys:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield
      Vietnam; Black and White; Command & Conquer Generals; Command and
      Conquer: Generals (Zero Hour); Command and Conquer: Red Alert 2;
      Command and Conquer: Tiberian Sun; Counter-Strike (Retail); Chrome;
      FIFA 2002; FIFA 2003; Freedom Force; Global Operations; Gunman
      Chronicles; Half-Life; Hidden & Dangerous 2; IGI 2: Covert Strike;
      Industry Giant 2; James Bond 007: Nightfire; Legends of Might and
      Magic; Medal of Honor: Allied Assault; Medal of Honor: Allied Assault:
      Breakthrough; Medal of Honor: Allied Assault: Spearhead; Nascar Racing
      2002; Nascar Racing 2003; Need For Speed Hot Pursuit 2; Need For
      Speed: Underground; Neverwinter Nights; Neverwinter Nights (Hordes of
      the Underdark); Neverwinter Nights (Shadows of Undrentide); NHL 2003;
      NHL 2002; NOX; Rainbow Six III RavenShield; Shogun: Total War: Warlord
      Edition; Soldier of Fortune II - Double Helix; Soldiers Of Anarchy;
      The Gladiators; Unreal Tournament 2003; Unreal Tournament 2004
      

– Monitorizeaza reteaua folosind un sniffer si cauta urmatoarele siruri de caractere:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn
      

– O rutina de logare este pornita dupa ce un site este vizitat:
   • paypal.com

 Alte informatii Mutex:
Creeaza urmatorul mutex:
   • js
In plus, mai contine urmatoarele siruri de caractere:
   • neTmaNiac
   • netmaniac was here
   • 12/12/04 13:13:13
   • netninjaz_place
   • Mehmeti
   • irc.kruma.us

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Daniel Constantin le vendredi 9 décembre 2005
Description mise à jour par Daniel Constantin le lundi 12 décembre 2005

Retour . . . .