Description complète

Nume:	Worm/VB.BS.2
Descoperit pe data de:	27/04/2006
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	43.520 Bytes
MD5:	818de564a30f64e39c7f6142605ebcfb
Versiune VDF:	6.34.01.16 - jeudi 27 avril 2006
Versiune IVDF:	6.34.01.16 - jeudi 27 avril 2006

General Metoda de raspandire:
   • Email
   • Peer to Peer

Alias:
   • Kaspersky: Email-Worm.Win32.VB.bs
   • F-Secure: Email-Worm.Win32.VB.bs
   • Sophos: W32/Bobandy-G
   • Grisoft: I-Worm/VB.LG
   • Eset: Win32/NoonLight.A
   • Bitdefender: Win32.Moonlight.C@mm

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza fisiere
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\JAVA\CLASES\BIN\service.exe
   • %SYSDIR%\APPLOG\Sys\smss.exe
   • %SYSDIR%\run32dll.exe
   • %WINDIR%\Systask.exe
   • %SYSDIR%\dllcache\S-1-5-21-3407528163-1890605801-2494157004-500_Classes\MSOWCF.cmd
   • %WINDIR%\Brico.cmd
   • %WINDIR%\command.com
   • %SYSDIR%\remotesp.cmd
   • %SYSDIR%\MySqld-nt.cmd
   • %HOME%\Start Menu\Programs\startup\MySqld-nt Start.cmd
   • %WINDIR%\COMMAND\SETRAMD.cmd

Creeaza urmatoarele directoare:
   • %WINDIR%\JAVA\CLASES\BIN
   • %WINDIR%\COMMAND

Sunt create fisierele:

– Un fisier temporar care poate fi sters dupa aceea:
   • %TEMPDIR%\~%valori hex%.tmp

– C:\D4nc1ng_in_the_M0oNLighT.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • |------------------------------|
     | Im Alone, Where Is God ?? |
     | i'm Trapped This World |
     | No one's there |
     | YOu StiLL Hurt Me , Why |
     | in The Moon Light ... |
     | i'll ... die .... |
     | I can'T WaiT Tomorrow |
     | is so much to Long |
     | GoodBye Sickness |
     |------------------------------|

– %HOME%\My Documents\M_o_0_n_L_i_g_h_T.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • ----------------+-[W32/Moonlight]-+----------
     Created 3-2006 ,Depok City Indonesia,
     Greet's to MyMom,DeathKnight,PsHmV,Retro,
     Alco,LanElitta,An4k2MI***mrg


     |by HellSpawn|
     ---------------------------------------------

– %HOME%\My Documents\iLOVEHErLAN_ELLITTA.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • --------------------------------------------
     |Ta GW Masih Di DEpok, GW jg Blom nikah ko |
     |itu semua cm Gosip ko, gw kuliah di *** |
     |MarGonda.. |
     |By KK Loe |
     --------------------------------------------

– %SYSDIR%\winup\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
– C:\cmd.bat

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ObjectDockZX"="%WINDIR%\Brico.cmd"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MooNlightNeverDie"="%SYSDIR%\MySqld-nt.cmd"

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"
   • "AllMyBallance"
   • "MomentEverComes"
   • "Tok-Cirrhatus-1101"
   • "SaTRio ADie X"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TryingToSpeak"
   • "YourUnintended"
   • "YourUnintendes"
   • "lexplorer"
   • "dkernel"
   • "chaaya bulan"
   • "Bron-Spizaetus-cgglmmrv"
   • "Bron-Spizaetus"
   • "Bron-Spizaetus-cfirltrx"
   • "ADie suka kamu"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • "debugger"="%SYSDIR%\remotesp.cmd"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "debugger"="%WINDIR%\command.com"

– [HKCU\Software\VB and VBA Program Settings]
– [HKCU\Software\VB and VBA Program Settings\noGods]
– [HKCU\Software\VB and VBA Program Settings\noGods\appActive]
   • "service.exe"="7LN{8Y"
   • "smss.exe"="xÅa½yG:"

– [HKCU\Software\VB and VBA Program Settings\untukmu\version]
   • "me"="2"

Urmatoarele chei din registri sunt modificate:

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%user defined values%
   • "HideFileExt"=%user defined values%
   • "ShowSuperHidden"=%user defined values%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoFolderOptions"=%setarile utilizatorului%
   Noua valoare:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Vechea valoare:
   • "UncheckedValue"=dword:00000001
   Noua valoare:
   • "UncheckedValue"=dword:00000000

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
   Noua valoare:
   • "Shell"="explorer.exe, "%WINDIR%\COMMAND\SETRAMD.cmd""

Dezactiveaza Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Vechea valoare:
   • "Start"=%setarile utilizatorului%
   Noua valoare:
   • "Start"=dword:00000000

– [HKLM\SYSTEM\ControlSet%numar%\Control\SafeBoot]
   Noua valoare:
   • "AlternateShell"="cmd.exe"

– [HKCR\scrfile]
   Vechea valoare:
   • @="Screen Saver"
   Noua valoare:
   • @="File Folder"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   User Shell Folders]
   Noua valoare:
   • "Common Startup"="%SYSDIR%\dllcache\S-1-5-21-3407528163-1890605801-2494157004-500_Classes"

Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:

De la:
Adresa este falsificata.
Adrese generate. Va rugam nu presupuneti ca a fost intentia expeditorului sa va trimita acest email. Este posibil ca el sa nu stie ca este infectat sau chiar sa nu aiba sistemul infectat. In plus, este posibil sa primiti email-uri returnate care sa va indice ca sunteti infectat, lucru care poate fi de asemenea fals.

Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)

Subiect:
Unul din urmatoarele:
   • Tolong Aku..
   • Tolong
   • Registration Confirmation
   • Cek This
   • hello
   • RE:bla bla bla
   • RE:HeLLO GuYs

Corpul email-ului:
Corpul email-ului este unul din textele:

   • hi please see this file

   • hot babe high quality porn

   • free screen saver romance for you

   • Please Visit Our Web Site:http://www.moonLight.com

   • hey free brontok, small_kl & more removal

   • thank's for you register
     your acount details are attached

   • Aku Mencari Wanita yang aku Cintai
     dan cara menggunakan email mass
     Rita

   • ini adalah cara terakhirku ,di lampiran ini terdapat
     foto dan data Wanita tsb Thank's

   • NB:Mohon di teruskan kesahabat anda
     password lampiran 55132098

   • aku mahasiswa Bsi Margonda smt 3

   • yah aku sedang membutuhkan pekerjaan

   • oh ya aku tahu anda dr milis ilmu komputer

   • di lampiran ini terdapat curriculum vittae dan foto saya

Uneori continuand cu una din urmatoarele:

   • For security reasons attached file is password protected.
     The password is 55132098

Atasament:
Numele fisierului atasat este unul din urmatoarele:
   • mypic.zip
   • dataKU.ace
   • attach.zip
   • Update.bz2
   • Doc.gz
   • file.bz2
   • thisfile.gz
   • pic.jar

Atasamentul este o arhiva ce contine chiar o copie malware.

Email Cautare adrese:
Cauta adrese de email in urmatoarele fisiere:
   • html; xls; mdb; doc; rtf; php"; pps; ppt; txt; tml; asp; wab; eml

Genereaza adrese pentru campul expeditorului:
Pentru a genera adrese foloseste urmatoarele texte:
   • B4bb1cool; SpawN; jojo; mansonisme; Yoseph2000; 12050075; CoolMan;
      BabbyBear; Jagung-Bakar; MooNLight; Juwita; Davis; Titta; Anata;
      Emily; HellSpawn; Lia; Fria; admin; SaZZA; BInaSarana; Shit;
      JuwitaNingrum; HackersMinds; telkom; astaga; boleh; PLASA; indo;
      warung; gaul; id

Adrese evitate:
Nu trimite email-uri la adrese care contin unul din urmatoarele siruri de caractere:
   • microsoft; .l; htm; rar; zip; www.; ..; virus; suport; MoonMail;
      yoursite; yourdomain; norton; panda; mcafee; Syman; sophos; Trend;
      vaksin; novell

Prefixeaza domeniile adreselor de email:
Pentru a afla IP-ul serverului de mail, poate adauga inaintea domeniului urmatoarele siruri de caractere:
   • ns1.
   • mx1.
   • mail1.
   • mail.
   • mx.
   • ns.
   • smtp.
   • relay.
   • gate.

P2P Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii:   Cauta directoarele care au in numele lor unul din urmatoarele texte:
   • documen
   • oad
   • shar
   • upload
   • Pictu
   • ambar
   • dokumen

   Daca reuseste, sunt create urmatoarele fisiere:
   • Gallery%spatii libere%.scr
   • Blink 182%spatii libere%.scr
   • Windows Vista setup%spatii libere%.scr
   • Data DosenKu%spatii libere%.scr
   • Titip Folder Jangan DiHapus%spatii libere%.scr
   • Love Song%spatii libere%.scr
   • New mp3 BaraT !!%spatii libere%.scr
   • THe Best Ungu%spatii libere%.scr
   • Norman virus Control 5.18%spatii libere%.scr
   • TutoriaL HAcking%spatii libere%.scr
   • Lagu - Server%spatii libere%.scr
   • RaHasIA%spatii libere%.scr

   Aceste fişiere sunt copii ale malware-ului.

Terminarea proceselor Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • dengines
   • command
   • cleaner
   • access
   • kill box
   • regis
   • config
   • sensasi
   • cmd
   • hijack

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • zonEALARM
   • Startup control
   • filewalker
   • ProceXP
   • system Mechanic
   • OfficeSystem
   • Freeze

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• PECompact

Description insérée par Adriana Popa le mardi 9 janvier 2007
Description mise à jour par Adriana Popa le mardi 9 janvier 2007

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils