Nume:VBS/Drop.Bifrose
Descoperit pe data de:08/05/2009
Tip:Vierme
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Nu
Marime:159.364 Bytes
MD5:cdfe8adc8ae35bf9af057b22047541bf
Versiune VDF:7.01.03.171
Versiune IVDF:7.01.03.173 - vendredi 8 mai 2009

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Mcafee: VBS/Autorun.worm.k
   •  Kaspersky: Worm.VBS.Autorun.ek
   •  Eset: VBS/AutoRun.BX


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier malware
   • Reduce setarile de securitate
   • Modificari in registri

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\winjpg.jpg
   • %all drives%\winfile.jpg



Sunt create fisierele:

– %all drives%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • [autorun]
     shellexecute=Wscript.exe /e:vbs winfile.jpg

– %SYSDIR%\winxp.exe Fisierul este executat dupa ce a fost creat. Detectat ca: TR/Dropper.Gen

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • regdiit="%SYSDIR%\winxp.exe"
   • CTFMON="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"



Valorile urmatoarei chei sunt sterse din registrii sistemului:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • winboot=-
   • MS32DLL=-



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCR\Vbsfile\DefaultIcon]
   • (Default)="%PROGRAM FILES%\Windows Media Player\wmplayer.exe,-120"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   • LimitSystemRestoreCheckpointing=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • DisableSR=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • AntiVirusOverride=dword:00000001

– [HKCR\exefile\shell\Scan for virus,s\command]
   • (Default)="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

– [HKCR\exefile\shell\Open application\command]
   • (Default)="%SYSDIR%\winxp.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\taskmgr.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSConfig.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • Debugger="\winxp.exe"

– [HKCU\Software\Microsoft\Windows Scripting Host\Settings]
   • DisplayLogo=dword:00000000
   • Timeout=dword:00000000

– [HKLM\Software\Microsoft\Windows Script Host\Settings]
   • Enabled=dword:00000001

– [HKCU\Software\Microsoft\Windows Script Host\Settings]
   • DisplayLogo=dword:00000000
   • Timeout=dword:00000000



Urmatoarele chei din registri sunt modificate:

Diverse setari in Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Noua valoare:
   • CheckedValue=dword:00000000

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • SuperHidden=dword:00000001
   • ShowSuperHidden=dword:00000000
   • HideFileExt=dword:00000001
   • Hidden=dword:00000000

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Noua valoare:
   • NoDriveTypeAutoRun=dword:00000000

– HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Noua valoare:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   Noua valoare:
   • Start=dword:00000004

– [HKCR\VBSFile]
   Noua valoare:
   • FriendlyTypeName="MP3 Audio"

– [HKCR\mp3file]
   Noua valoare:
   • FriendlyTypeName="Good Songs"

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: Visual Basic.

Description insérée par Ana Maria Niculescu le mardi 12 mai 2009
Description mise à jour par Ana Maria Niculescu le vendredi 17 juillet 2009

Retour . . . .