Worm/RBot.100954 - Worm

A voir aussi

Brève description

Description complète

Statistiques

Nom:	Worm/RBot.100954
La date de la découverte:	15/11/2005
Type:	Ver
En circulation:	Non
Infections signalées	Faible
Potentiel de distribution:	Moyen
Potentiel de destruction:	Moyen
Fichier statique:	Oui
Taille du fichier:	100.954 Octets
Somme de contrôle MD5:	e031bf896dea28a3e0830Aa8eb85c032
Version VDF:	6.32.00.183

Général Méthode de propagation:
   • Le réseau local

Les alias:
   • Kaspersky: Backdoor.Win32.Rbot.adf
   • Sophos: W32/Rbot-BEZ
   • VirusBuster: virus Worm.Rbot.DEA
   • Bitdefender: Backdoor.RBot.CPZ

Plateformes / Systèmes d'exploitation:
   • Windows 96
   • Windows 99
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Effets secondaires:
   • Access sur disquette    • Arrêt les applications de sécurité
   • Il télécharge des fichiers
   • Il emploie son propre moteur de courrier électronique
   • Il diminue les réglages de sécurité
   • Il enregistre les frappes de touche
   • Il modifie des registres
   • Il emploie les vulnérabilités de software
   • Il vole de l'information
   • Il facilite l'accès non autorisé à l'ordinateur

Fichiers Il s'autocopie dans l'emplacement suivant:
• %SYSDIR%\syshost.exe

Il supprime sa propre copie, exécutée initialement

Registre Les clés suivantes sont en permanence ajoutées aux registres, dans une boucle infinie, afin de lancer les processus après le redémarrage.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Windows System"="syshost.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "Microsoft Windows System"="syshost.exe"

La clé de registre suivante est ajoutée:

– [HKCU\Software\Microsoft\OLE]
   • "Microsoft Windows System"="syshost.exe"

Les clés de registre suivantes sont changées:

– [HKLM\SOFTWARE\Microsoft\Ole]
   L'ancienne valeur:
   • "EnableDCOM"=%réglages définis par l'utilisateur%
   La nouvelle valeur:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   L'ancienne valeur:
   • "restrictanonymous"=%réglages définis par l'utilisateur%
   La nouvelle valeur:
   • "restrictanonymous"=dword:00000001

Infection du réseau Afin de assurer sa propagation, le malware essaye de se connecter à d'autres machines comme décrit ci-dessous.

Il s'autocopie dans les partages réseau suivants:
   • IPC$
   • C$
   • C:\
   • D$
   • D:\
   • C$\windows\system32
   • c$\winnt\system32
   • ADMIN$\system32\
   • ADMIN$

Il emploie les informations d'identification suivantes afin de gagner accès à la machine distante:

–Les noms d'utilisateurs et les mots de passe en antémémoire.

– La liste suivante de noms d'utilisateurs:
   • Abdulrazak; Ackerman; Adams; Addison; Adelstein; Adibe; Adorno;
      Ahlers; Alavi; Alcorn; Alda; Aleks; Allison; Alongi; Altavilla;
      Altenberger; Altenhofen; Amaral; Amatangelo; Ameer; Amsden; Anand;
      Andel; Ando; Andrelus; Andron; Anfinrud; Ansley; Anthony; Antos;
      Arbia; Arduini; Arellano; Aristotle; Arjas; Arky; Atkins; Augustus;
      Aurelius; Axelrod; Axworthy; Ayiemba; Aykroyd; Ayling; Azima;
      Bachmuth; Backus; Bady; Baglivo; Bagnold; Bailar; Bakanowsky; Baleja;
      Ballatori; Ballew; Baltz; Banta; Barabesi; Barajas; Baranczak;
      Baranowska; Barberi; Barbetti; Barneson; Barnett; Barriola; Barry;
      Bartholomew; Bartolome; Bartoo; Basavappa; Bashevis; Batchelder;
      Baumiller; Bayles; Bayo; Beacon; Beal; Bean; Beckman; Beder; Bedford;
      Behenna; Belanger; Belaoussof; Belfer; Belin-Collart; Bellavance;
      Bellhouse; Bellini; Belloc; Benedict-Dye; Bergson; Berke-Jenkins;
      Bernardo; Bernassola; Bernston; Berrizbeitia; Betti; Beynart;
      Biagioli; Bickel; Binion; Bir; Bisema; Bisho; Blackbourn; Blackwell;
      Blagg; Blakemore; Blanke; Bliss; Blizard; Bloch; Bloembergen;
      Bloemhof; Bloxham; Blyth; Bolger; Bolick; Bollinger; Bologna; Boner;
      Bonham; Boniface; Bontempo; Book; Bookbinder; Boone; Boorstin; Borack;
      Borden; Bossi; Bothman; Botosh; Boudin; Boudrot; Bourneuf; Bowers;
      Boxer; Boyajian; Boyes; Boyland; Boym; Boyne; Bracalente; Bradac;
      Bradach; Brecht; Breed; Brenan; Brennan; Brewer; Bridgeman; Bridges;
      Brinton; Britz; Broca; Brook; Brzycki; Buchan; Budding; Bullard;
      Bunton; Burden; Burdzy; Burke; Burridge; Busetta; Byatt; Byerly; Byrd;
      Cage; Calnan; Cammelli; Cammilleri; Canley; Capanni; Caperton;
      Capocaccia; Capodilupo; Cappuccio; Capursi; Caratozzolo;
      Carayannopoulos; Carlin; Carlos; Carlyle; Carmichael; Caroti; Carper;
      Cartmill; Cascio; Case; Caspar; Castelda; Cavanagh; Cavell; Ceniceros;
      Cerioli; Chapman; Charles; Cheang; Cherry; Chervinsky; Chiassino;
      Chien; Childress; Childs; Chinipardaz; Chinman; Christenson;
      Christian; Christiano; Christie; Christopher; Chu; Chupasko; Church;
      Ciampaglia; Cicero; Cifarelli; Claffey; Clancy; Clark; Clement;
      Clifton; Clow; Coblenz; Coito; Coldren; Colella; Collard; Collis;
      Compton; Comstock; Concino; Condodina; Connors; Corey; Cornish;
      Cosmides; Counter; Coutaux; Crawford; Crocker; Croshaw; Croxen;
      Croxton; Cui; Cunningham; Currier; Cutler; Cvek; Cyders; Daldalian;
      Daly; D'Ambra; Danieli; Dante; Dapice; D'arcangelo; Das; Dasgupta;
      daSilva; Daskalu; David; Dawkins; Debroff; Dees; Defeciani; DeGennaro;
      DeLaPena; Delattre; del'Enclos; Deleon-Rendon; Delger; Dell'acqua;
      Deming; Dempster; Demusz; Denault; Denham; Denison; deRousse;
      Desombre; Deutsch; D'fini; Dicks; Diefenbach; Difabio; Difronzo;
      Dilworth; Dionysius; Dirksen; Dockery; Doherty; Donahue; Donner;
      Doonan; Dore; Dorf; Dosi; Doty; Doug; Dowsland; Drinker; D'souza;
      Duffin; Durrett; Dussault; Dwyer; Eardley; Ebeling; Eckel; Edley;
      Edner; Edward; Eickenhorst; Eliasson; Elmendorf; Elmerick; Elvis;
      Encinas; Enyeart; Eppling; Erbach; Erdman; Erdos; Erez; Espinoza;
      Estes; Etter; Euripides; Everett; Fabbris; Fagan; Faioes;
      Falco-Acosta; Falorsi; Faris; Farone; Farren; Fasso'; Fates;
      Feigenbaum; Fejzo; Feldman; Fernald; Fernandes; Ferrante; Ferriell;
      Feuer; Fido; Field; Fink; Finkelstein; Finnegan; Fiorina; Fisk;
      Fitzmaurice; Flier; Flores; Folks; Forester; Fortes; Fortier; Fossey;
      Fossi; Francisco; Franklin-Kenea; Franz; Frazier-Davis; Freid;
      Freundlich; Fried; Friedland; Frisken; Frowiss; Fryberger; Frye;
      Fujii-Abe; Fuller; Furth; Fusaro; Gabrielli; Gaggiotti; Galeotti;
      Galwey; Gambini; Garfield; Garman; Garonna; Geller; Gemberling;
      Georgi; Gerrett; Ghorai; Gibbens; Gibson; Gilbert; Gili; Gill;
      Gillispie; Gist; Gleason; Glegg; Glendon; Goldfarb; Goncalves;
      Gonzalez; Good; Goodearl; Goody; Gozzi; Gravell; Greenberg; Greenfeld;
      Griffiths; Grigoletto; Grummell; Gruner; Gruppe; Guenthart; Gunn; Guo;
      Ha; Haar; Hackman; Hackshaw; Haley; Halkias; Hallowell; Halpert;
      Hambarzumjan; Hamer; Hammerness; Hand; Hanssen; Harding; Hargraves;
      Harlow; Harrigan; Hartman; Hartmann; Hartnett; Harwell; Haviaras;
      Hawkes; Hayes; Haynes; Hazlewood; Heermans; Heft; Heiland; Hellman;
      Hellmiss; Helprin; Hemphill; Henery; Henrichs; Hernandez; Herrera;
      Hester; Heubert; Heyeck; Himmelfarb; Hind; Hirst; Hitchcock; Hoang;
      Hock; Hoffer; Hoffman; Hokanson; Hokoda; Holmes; Holoien; Holter;
      Holway; Holzman; Hooker; Hopkins; Horsley; Hoshida; Hostage; Hottle;
      Howard; Hoy; Huey; Huidekoper; Hungerford; Huntington; Hupp;
      Hurtubise; Hutchings; Hyde; Iaquinta; Ichikawa; Igarashi; Inamura;
      Inniss; Isaac; Isaievych; Isbill; Isserman; Iyer; Jacenko; Jackson;
      Jagers; Jagger; Jagoe; Jain; Jamil; Janjigian; Jarnagin; Jarrell; Jay;
      Jeffers; Jellis; Jenkins; Jespersen; Jewett; Johannesson; Johannsen;
      Johns; Jolly; Jorgensen; Jucks; Juliano; Julious; Kabbash; Kaboolian;
      Kafadar; Kalbfleisch; Kaligian; Kalil; Kalinowski; Kalman; Kamel;
      Kangis; Karpouzes; Kassower; Kasten; Kawachi; Kee; Keenan; Keepper;
      Keith; Kelker; Kelsey; Kempton; Kemsley; Kendall; Kerry; Keul; Khong;
      Kimmel; Kimmett; Kimura; Kindall; Kinsley; Kippenberger; Kirscht;
      Kittridge; Kleckner; Kleiman; Kleinfelder; Klemperer; Kling;
      Klinkenborg; Klint; Knuff; Kobrick; Koch; Kohn; Koivumaki; Kommer;
      Koniaris; Konrad; Kool; Korzybski; Kotter; Kovaks; Kraemer; Krailo;
      Krasney; Kraus; Kroemer; Krysiak; Kuenzli; Kumar; Kusman; Kuwabara;
      La; Labunka; Lafler; Laing; Lallemant; Landes; Lankes; Lantieri;
      Lanzit; Laserna; Lashley; Lawless; Lecar; Lecce; Leclercq; Leite;
      Lenard; l'Enclos; Lesser; Lessi; Liakos; Lidano; Liem; Light;
      Lightfoot; Lim; Linares; Linda; Linder; Line; Linehan; Linzee;
      Lippmann; Lipponen; Little; Litvak; Livernash; Livi; Livolsi; Lizardo;
      Locatelli; Longworth; Loss; Loveman; Lowenstein; Loza; Lubin; Lucas;
      Luciano; Luczkow; Luecke; Lunetta; Luoma; Lussier; Lutcavage; Luzader;
      Ma; Maccormac; Macdonald; Maceachern; Macintyre; Mackenney; MacMillan;
      Macy; Madigan; Maggio; Mahony; Maier; Maine-Hershey; Maisano;
      Malatesta; Maller; Malova; Manalis; Mandel; Manganiello; Mantovan;
      March; Marchbanks; Marcus; Margalit; Margetts; Marques; Martinez;
      Martochio; Marton; Marubini; Mass; Matalka; Matarazzo; Matsukata;
      Mattson; Mauzy; May; Mazzali; Mazziotta; Mcbride; Mccaffery; Mccall;
      Mcclearn; Mcdowell; Mcelroy; McFadden; Mcghee; Mcgoldrick; McIlroy;
      Mcintosh; Mckenna; Mclane; Mclaren; Mcnealy; Mcnulty; Meccariello;
      Memisoglu; Menzies; Merikoski; Merlani; Merminod; Merseth; Merz;
      Metelka; Metropolis; Meurer; Michelman; Middle; Mieher; Mills; Minh;
      Mini; Minichiello; Mitropoulos; Mittal; Mocroft; Modestino; Moeller;
      Mohr; Moiamedi; Monque; Montilio; MooreDeCh.; Morani; Moreton;
      Morrison; Morrow; Mortimer; Mosher; Mosler; Mostafavi; Motooka;
      Mudarri; Muello; Mugnai; Mulkern; Mulroy; Mumford; Mussachio; Naddeo;
      Napolitano; Nardi; Nardone; Naviaux; Nayduch; Nelson; Nenna; Nesci;
      Neuman; Newfeld; Newlin; Ng; Ni; Nickerson; Nickoloff; Nisenson;
      Nitabach; Notman; Nuzum; Ocougne; Ogata; Oh; O'hagan; Oldford; Olsen;
      Olson; Olszewski; O'malley; Oman; O'meara; Opel; Oray; Orfield; Orsi;
      Ospina; Ostrowski; Ottaviani; Otten; Ouchida; Ovid; PaesDealmeida;
      Paine; Palayoor; Palepu; Pallara; Palmitesta; Panadero; Panizzon;
      Pantilla; Paoletti; Parmeggiani; Parris; Partridge; Pascucci;
      Patefield; Patrick; Pattullo; Pavetti; Pavlon; Pawloski; Paynter;
      Peabody; Pearlberg; Pederson; Peishel; Penny; Pereira; Perko; Perlak;
      Perlman; Perna; Perone; Perrimon; Peters; Petruzello; Pettibone;
      Pettit; Pfister; Pilbeam; Pinot; Plancon; Plant; Plasket; Plous; Po;
      Pocobene; Poincaire; Pointer; Poirier; Polak; Polanyi; Politis; Poma;
      Poolman; Powers; Presper; Preucel; Prevost; Pritchard; Pritz;
      Proietti; Prothrow-Stith; Puccia; Pugh; Pynchon; Quaday; Quetin; Rabe;
      Rabkin; Radeke; Rajagopalan; Raney; Rangan; Rankin; Rapple; Rayport;
      Redden-Tyler; Reedquist; Reinold; Remak; Renick; Repetto; Resnik;
      Rhea; Richmond; Rielly; Rindos; Rineer; Rish; Rivera; Robinson; Rocha;
      Roesler; Rogers; Ronen; Row; Royal; Ru; Ruan; Ruderman; Ruescher;
      Rush; Ryu; Sabatello; Sadler; Safire; Sahu; Sali; Samson;
      Sanchez-Ramirez; Sanna; Sapers; Sarin; Sartore; Sase; Satin; Satta;
      Satterthwaite; Sawtell; Sayied; Scarponi; Scepan; Scharf; Scharlemann;
      Scheiner; Schiano; Schifini; Schilling; Schmitt; Schossberger;
      Schuman; Schutte; Schuyler; Schwan; Schwickrath; Scovel; Scudder;
      Seaton; Seeber; Segal; Sekler; Selvage; Sen; Sennett; Seterdahl;
      Sexton; Seyfert; Shaikh; Shakis; Shankland; Shanley; Shar; Shatrov;
      Shavelson; Shea; Sheats; Shepherd; Sheppard; Shepstone; Shesko; Shia;
      Shibata; Shimon; Siesto; Sigalot; Sigini; Signa; Silverman; Silvetti;
      Sinsabaugh; Sirilli; Sites; Skane; Skerry; Skoda; Sloan; Slowe;
      Smilow; Sniffen; Snodgrass; Socolow; Solon; Somers; Sommariva;
      Sorabella; Sorg; Sottak; Soukup; Soule; Soultanian; Spanier; Sparrow;
      Spaulding; Speizer; Spence; Sperber; Spicer; Spiegelhalter; Spiliotis;
      Spinrad; Stalvey; Stam; Stang; Stassinopolus; States; Statlender;
      Stefani; Steiner; Stephanian; Stepniewska; Stewart-Oaten; Stiepock;
      Stillwell; StMartin; Stock; Stockton; Stockwell; Stolzenberg; Stonich;
      Storer; Stott; Strange; Strauch; Streiff; Stringer; Sullivan; Sumner;
      Suo; Surdam; Sweeting; Sweetser; Swindle; Tagiuri; Tai; Talaugon;
      Tambiah; Tandler; Tanowitz; Tatar; Taveras; Tawn; Tcherepnin; Teague;
      Temes; Temmer; Tenney; Terracini; Than; Thavaneswaran; Theodos;
      Thibault; Thisted; Thomsen; Throop; Tierney; Till; Timmons; Tofallis;
      Tollestrup; Tolls; Tolman; Tomford; Toomer; Topulos; Torresi; Torske;
      Towler; Toye; Traebert; Trenga; Trewin; Tringali; Troiani; Troy;
      Truss; Tsiatis; Tsomides; Tsukurov; Tuck; Tudge; Tukan; Turano; Turek;
      Tuttle; Twells; Tzamarias; Ullman; Untermeyer; Upsdell; Urban;
      Urdang-Brown; Usdan; Uzuner; Vacca; Valberg; Valencia; vanAllen;
      Vandenberg; Vanheeckeren; VanZwet; Vasquez; Velasquez; Venne;
      Verghese; Viana; Viano; Viens; Vignola; Villarreal; Vitali; Viviani;
      Voigt; VonHoffman; Vorhaus; Votey; Waite; Wales; Wallenberg; Walter;
      Warshafsky; Wasowska; Waugh; Weighart; Weingarten; Weinhaus;
      Weissbourd; Weissman; Welles; Welsh; Wengret; Wescott; Wetzel;
      Whately; Whilton; White; Whitla; Whittaker; Wiedersheim; Wiener;
      Wilder; Wilhelm; Wilk; Wilkin; Wilkinson; Willstatter; Wilson; Wolk;
      Woo; Wooden; Woods; Woods-Powell; Yacono; Yamane; Yankee; Yarchuk;
      Yates; Ybarra; Yedidia; Yesson; Yetiv; Yoffe; Yoo; Youk-See; Yu;
      Zachary; Zahedi; Zangwill; ZeA; Zegans; Zerbini; Zoldak; Zucconi;
      Zurn; Zwiers; Zytowski

– Une liste de noms d'utilisateurs et de mots de passe:
   • 12; 123; 1234; 2000; 2001; 2002; 2003; 2004; 12345; 123456; 1234567;
      12345678; 123456789; 1234567890; access; accounting; accounts; adm;
      administrador; administrat; administrateur; administrator; admins;
      asd; backup; bill; bitch; blank; bob; brian; changeme; chris; cisco;
      compaq; computer; control; data; database; databasepass;
      databasepassword; db1; db1234; db2; dba; dbpass; dbpassword; default;
      dell; demo; domain; domainpass; domainpassword; eric; exchange; fred;
      fuck; george; god; guest; hell; hello; home; homeuser; hp; ian; ibm;
      internet; intranet; jen; joe; john; kate; katie; lan; lee; linux;
      login; loginpass; luke; mail; main; mary; mike; neil; nokia; none;
      null; oem; oeminstall; oemuser; office; oracle; orainstall; outlook;
      owner; pass; pass1234; passwd; password; password1; peter; pwd; qaz;
      qwe; qwerty; sam; server; sex; siemens; slut; sql; sqlpassoainstall;
      staff; student; sue; susan; system; teacher; technical; test; unix;
      user; web; win2000; win2k; win98; windows; winnt; winpass; winxp; www;
      wwwadmin; xp; zxc

La vulnérabilité:
Il se sert des vulnérabilités suivantes:
– MS01-059 (Unchecked Buffer in Universal Plug and Play)
– MS02-018 (Patch for Internet Information Service)
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– VX05-006 (Remote Heap Overflow lorsque de l'utilisation de VERITAS Backup Exec Admin Plus Pack Option)
– La porte dérobée Bagle (port 2745)
– La porte dérobée Kuang (port 17300)
– La porte dérobée Mydoom (port 3127)
– La porte dérobée NetDevil (port 903)
– La porte dérobée Optix (port 3140)
– La porte dérobée SubSeven (port 27347)
– Le contrôle à distance DameWare (port 6129)

Le processus d'infection:
Crée un script TFTP ou FTP sur la machine compromise afin de télécharger le malware vers l'emplacement distant.

Exécution à distance:
–Il essaye de programmer une exécution à distance du malware, sur la machine nouvellement infectée. Par conséquent il emploie la fonction NetScheduleJobAdd.

IRC Afin de fournir des informations sur le système et un accès à distance, il se connecte au serveur IRC suivant:

Serveur: suksa.mujas**********
Port: 28555
Canal: #y8#
Pseudonyme: r1%chaîne de caractères aléatoire de neuf digits%
Mot de passe: ahraz

– Ce Malware a la capacité de ramasser et d'envoyer des informations tel que:
    • Les mots de passe en antémémoire:
    • Capture d'écran
    • Capture de web caméra
    • Vitesse du CPU
    • Utilisateur courant
    • Détails sur les pilots
    • Espace libre sur le disque dur
    • Mémoire libre
    • Le temps de fonctionnement du Malware
    • Information sur le réseau
    • L'ID de la plateforme
    • Information sur des processus courants
    • Taille de mémoire
    • Répertoire de système
    • Nom d'utilisateur
    • L'activité local des utilisateurs
    • Information sur le système d'exploitation Windows

– Ensuite il a la capacité d'opérer des actions tel que:
    • se connecter au serveur IRC
    • Lancer des attaques DDoS ICMP
    • Lancer des attaques DDoS SYN
    • Lance des attaques DDoS TCP
    • Lance des attaques DDoS UDP
    • Désactiver DCOM
    • Désactiver les partages réseau
    • se déconnecter du serveur IRC
    • Télécharger un fichier
    • Éditer le registre
    • Activer DCOM
    • Activer les partages réseau
    • Exécuter un fichier
    • Joindre le canal IRC
    • Finir le processus
    • Quitter la canal IRC
    • Ouvrir une ligne de commande à distance
    • Opérer un attaque DDoS
    • Scanner le réseau
    • Opérer la redirection d'un certain port
    • Enregistrer un service
    • Envoyer des e-mails
    • Commence le keylog
    • Démarrer une routine de propagation
    • Terminer le Malware
    • Terminer un processus
    • Se mettre à jour tout seul
    • Charger un fichier
    • Visiter un site web

Arrêt de processus: La liste des processus qui sont terminés:
   • i11r54n4.exe; irun4.exe; d3dupdate.exe; rate.exe; ssate.exe;
      winsys.exe; winupd.exe; SysMonXP.exe; bbeagle.exe; Penis32.exe;
      mscvb32.exe; sysinfo.exe; PandaAVEngine.exe; F-AGOBOT.EXE;
      HIJACKTHIS.EXE; _AVPM.EXE; _AVPCC.EXE; _AVP32.EXE; ZONEALARM.EXE;
      ZONALM2601.EXE; ZATUTOR.EXE; ZAPSETUP3001.EXE; ZAPRO.EXE;
      XPF202EN.EXE; WYVERNWORKSFIREWALL.EXE; WUPDT.EXE; WUPDATER.EXE;
      WSBGATE.EXE; WRCTRL.EXE; WRADMIN.EXE; WNT.EXE; WNAD.EXE; WKUFIND.EXE;
      WINUPDATE.EXE; WINTSK32.EXE; WINSTART001.EXE; WINSTART.EXE;
      WINSSK32.EXE; WINSERVN.EXE; WINRECON.EXE; WINPPR32.EXE; WINNET.EXE;
      WINMAIN.EXE; WINLOGIN.EXE; WININITX.EXE; WININIT.EXE; WININETD.EXE;
      WINDOWS.EXE; WINDOW.EXE; WINACTIVE.EXE; WIN32US.EXE; WIN32.EXE;
      WIN-BUGSFIX.EXE; WIMMUN32.EXE; WHOSWATCHINGME.EXE; WGFE95.EXE;
      WFINDV32.EXE; WEBTRAP.EXE; WEBSCANX.EXE; WEBDAV.EXE; WATCHDOG.EXE;
      W9X.EXE; W32DSM89.EXE; VSWINPERSE.EXE; VSWINNTSE.EXE; VSWIN9XE.EXE;
      VSSTAT.EXE; VSMON.EXE; VSMAIN.EXE; VSISETUP.EXE; VSHWIN32.EXE;
      VSECOMR.EXE; VSCHED.EXE; VSCENU6.02D30.EXE; VSCAN40.EXE; VPTRAY.EXE;
      VPFW30S.EXE; VPC42.EXE; VPC32.EXE; VNPC3000.EXE; VNLAN300.EXE;
      VIRUSMDPERSONALFIREWALL.EXE; VIR-HELP.EXE; VFSETUP.EXE; VETTRAY.EXE;
      VET95.EXE; VET32.EXE; VCSETUP.EXE; VBWINNTW.EXE; VBWIN9X.EXE;
      VBUST.EXE; VBCONS.EXE; VBCMSERV.EXE; UTPOST.EXE; UPGRAD.EXE;
      UPDATE.EXE; UPDAT.EXE; UNDOBOOT.EXE; TVTMD.EXE; TVMD.EXE; TSADBOT.EXE;
      TROJANTRAP3.EXE; TRJSETUP.EXE; TRJSCAN.EXE; TRICKLER.EXE; TRACERT.EXE;
      TITANINXP.EXE; TITANIN.EXE; TGBOB.EXE; TFAK5.EXE; TFAK.EXE;
      TEEKIDS.EXE; TDS2-NT.EXE; TDS2-98.EXE; TDS-3.EXE; TCM.EXE; TCA.EXE;
      TC.EXE; TBSCAN.EXE; TAUMON.EXE; TASKMON.EXE; TASKMO.EXE; TASKMG.EXE;
      SYSUPD.EXE; SYSTEM32.EXE; SYSTEM.EXE; SYSEDIT.EXE; SYMTRAY.EXE;
      SYMPROXYSVC.EXE; SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SWEEP95.EXE;
      SVSHOST.EXE; SVCHOSTS.EXE; SVCHOSTC.EXE; SVC.EXE; SUPPORTER5.EXE;
      SUPPORT.EXE; SUPFTRL.EXE; STCLOADER.EXE; START.EXE; ST2.EXE;
      SSG_4104.EXE; SSGRATE.EXE; SS3EDIT.EXE; SRNG.EXE; SREXE.EXE;
      SPYXX.EXE; SPOOLSV32.EXE; SPOOLCV.EXE; SPOLER.EXE; SPHINX.EXE;
      SPF.EXE; SPERM.EXE; SOFI.EXE; SOAP.EXE; SMSS32.EXE; SMS.EXE; SMC.EXE;
      SHOWBEHIND.EXE; SHN.EXE; SHELLSPYINSTALL.EXE; SH.EXE; SGSSFW32.EXE;
      SFC.EXE; SETUP_FLOWPROTECTOR_US.EXE; SETUPVAMEEVAL.EXE; SERVLCES.EXE;
      SERVLCE.EXE; SERVICE.EXE; SERV95.EXE; SD.EXE; SCVHOST.EXE; SCRSVR.EXE;
      SCRSCAN.EXE; SCANPM.EXE; SCAN95.EXE; SCAN32.EXE; SCAM32.EXE; SC.EXE;
      SBSERV.EXE; SAVENOW.EXE; SAVE.EXE; SAHAGENT.EXE; SAFEWEB.EXE;
      RUXDLL32.EXE; RUNDLL16.EXE; RUNDLL.EXE; RUN32DLL.EXE; RULAUNCH.EXE;
      RTVSCN95.EXE; RTVSCAN.EXE; RSHELL.EXE; RRGUARD.EXE; RESCUE32.EXE;
      RESCUE.EXE; REGEDT32.EXE; REGEDIT.EXE; REGED.EXE; REALMON.EXE;
      RCSYNC.EXE; RB32.EXE; RAY.EXE; RAV8WIN32ENG.EXE; RAV7WIN.EXE;
      RAV7.EXE; RAPAPP.EXE; QSERVER.EXE; QCONSOLE.EXE; PVIEW95.EXE;
      PUSSY.EXE; PURGE.EXE; PSPF.EXE; PROTECTX.EXE; PROPORT.EXE;
      PROGRAMAUDITOR.EXE; PROCEXPLORERV1.0.EXE; PROCESSMONITOR.EXE;
      PROCDUMP.EXE; PRMVR.EXE; PRMT.EXE; PRIZESURFER.EXE; PPVSTOP.EXE;
      PPTBC.EXE; PPINUPDT.EXE; POWERSCAN.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; POPSCAN.EXE; POPROXY.EXE; POP3TRAP.EXE; PLATIN.EXE;
      PINGSCAN.EXE; PGMONITR.EXE; PFWADMIN.EXE; PF2.EXE; PERSWF.EXE;
      PERSFW.EXE; PERISCOPE.EXE; PENIS.EXE; PDSETUP.EXE; PCSCAN.EXE;
      PCIP10117_0.EXE; PCFWALLICON.EXE; PCDSETUP.EXE; PCCWIN98.EXE;
      PCCWIN97.EXE; PCCNTMON.EXE; PCCIOMON.EXE; PCC2K_76_1436.EXE;
      PCC2002S902.EXE; PAVW.EXE; PAVSCHED.EXE; PAVPROXY.EXE; PAVCL.EXE;
      PATCH.EXE; PANIXK.EXE; PADMIN.EXE; OUTPOSTPROINSTALL.EXE;
      OUTPOSTINSTALL.EXE; OUTPOST.EXE; OTFIX.EXE; OSTRONET.EXE;
      OPTIMIZE.EXE; ONSRVR.EXE; OLLYDBG.EXE; NWTOOL16.EXE; NWSERVICE.EXE;
      NWINST4.EXE; NVSVC32.EXE; NVC95.EXE; NVARCH16.EXE; NUPGRADE.EXE;
      NUI.EXE; NTXconfig.EXE; NTVDM.EXE; NTRTSCAN.EXE; NT.EXE; NSUPDATE.EXE;
      NSTASK32.EXE; NSSYS32.EXE; NSCHED32.EXE; NPSSVC.EXE; NPSCHECK.EXE;
      NPROTECT.EXE; NPFMESSENGER.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NOTSTART.EXE; NORTON_INTERNET_SECU_3.0_407.EXE; NORMIST.EXE;
      NOD32.EXE; NMAIN.EXE; NISUM.EXE; NISSERV.EXE; NETUTILS.EXE;
      NETSTAT.EXE; NETSPYHUNTER-1.2.EXE; NETSCANPRO.EXE; NETMON.EXE;
      NETINFO.EXE; NETD32.EXE; NETARMOR.EXE; NEOWATCHLOG.EXE;
      NEOMONITOR.EXE; NDD32.EXE; NCINST4.EXE; NC2000.EXE; NAVWNT.EXE;
      NAVW32.EXE; NAVSTUB.EXE; NAVNT.EXE; NAVLU32.EXE;
      NAVENGNAVEX15.NAVLU32.EXE; NAVDX.EXE; NAVAPW32.EXE; NAVAPSVC.EXE;
      NAVAP.NAVAPSVC.EXE; AUTO-PROTECT.NAV80TRY.EXE; NAV.EXE; N32SCANW.EXE;
      MWATCH.EXE; MU0311AD.EXE; MSVXD.EXE; MSSYS.EXE; MSSMMC32.EXE;
      MSMSGRI32.EXE; MSMGT.EXE; MSLAUGH.EXE; MSINFO32.EXE; MSIEXEC16.EXE;
      MSDOS.EXE; MSDM.EXE; MSCONFIG.EXE; MSCMAN.EXE; MSCCN32.EXE;
      MSCACHE.EXE; MSBLAST.EXE; MSBB.EXE; MSAPP.EXE; MRFLUX.EXE;
      MPFTRAY.EXE; MPFSERVICE.EXE; MPFAGENT.EXE; MOSTAT.EXE; MOOLIVE.EXE;
      MONITOR.EXE; MMOD.EXE; MINILOG.EXE; MGUI.EXE; MGHTML.EXE; MGAVRTE.EXE;
      MGAVRTCL.EXE; MFWENG3.02D30.EXE; MFW2EN.EXE; MFIN32.EXE; MD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCUPDATE.EXE; MCTOOL.EXE; MCSHIELD.EXE;
      MCMNHDLR.EXE; MCAGENT.EXE; MAPISVC32.EXE; LUSPT.EXE; LUINIT.EXE;
      LUCOMSERVER.EXE; LUAU.EXE; LUALL.EXE; LSETUP.EXE; LORDPE.EXE;
      LOOKOUT.EXE; LOCKDOWN2000.EXE; LOCKDOWN.EXE; LOCALNET.EXE; LOADER.EXE;
      LNETINFO.EXE; LDSCAN.EXE; LDPROMENU.EXE; LDPRO.EXE; LDNETMON.EXE;
      LAUNCHER.EXE; KILLPROCESSSETUP161.EXE; KERNEL32.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-PF-213-EN-WIN.EXE; KEENVALUE.EXE; KAZZA.EXE; KAVPF.EXE;
      KAVPERS40ENG.EXE; KAVLITE40ENG.EXE; JEDI.EXE; JDBGMRG.EXE; JAMMER.EXE;
      ISTSVC.EXE; ISRV95.EXE; ISASS.EXE; IRIS.EXE; IPARMOR.EXE; IOMON98.EXE;
      INTREN.EXE; INTDEL.EXE; INIT.EXE; INFWIN.EXE; INFUS.EXE; INETLNFO.EXE;
      IFW2000.EXE; IFACE.EXE; IEXPLORER.EXE; IEDRIVER.EXE; IEDLL.EXE;
      IDLE.EXE; ICSUPPNT.EXE; ICSUPP95.EXE; ICMON.EXE; ICLOADNT.EXE;
      ICLOAD95.EXE; IBMAVSP.EXE; IBMASN.EXE; IAMSTATS.EXE; IAMSERV.EXE;
      IAMAPP.EXE; HXIUL.EXE; HXDL.EXE; HWPE.EXE; HTPATCH.EXE; HTLOG.EXE;
      HOTPATCH.EXE; HOTACTIO.EXE; HBSRV.EXE; HBINST.EXE;
      HACKTRACERSETUP.EXE; GUARDDOG.EXE; GUARD.EXE; GMT.EXE; GENERICS.EXE;
      GBPOLL.EXE; GBMENU.EXE; GATOR.EXE; FSMB32.EXE; FSMA32.EXE; FSM32.EXE;
      FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE; FSAV530STBYB.EXE;
      FSAV32.EXE; FSAV.EXE; FSAA.EXE; FRW.EXE; FPROT.EXE; FP-WIN_TRIAL.EXE;
      FP-WIN.EXE; FNRB32.EXE; FLOWPROTECTOR.EXE; FIREWALL.EXE; FINDVIRU.EXE;
      FIH32.EXE; FCH32.EXE; FAST.EXE; FAMEH32.EXE; F-STOPW.EXE;
      F-PROT95.EXE; F-PROT.EXE; F-AGNT95.EXE; EXPLORE.EXE; EXPERT.EXE;
      EXE.AVXW.EXE; EXANTIVIRUS-CNET.EXE; EVPN.EXE; ETRUSTCIPE.EXE;
      ETHEREAL.EXE; ESPWATCH.EXE; ESCANV95.EXE; ESCANHNT.EXE; ESCANH95.EXE;
      ESAFE.EXE; ENT.EXE; EMSW.EXE; EFPEADM.EXE; ECENGINE.EXE; DVP95_0.EXE;
      DVP95.EXE; DSSAGENT.EXE; DRWEBUPW.EXE; DRWEB32.EXE; DRWATSON.EXE;
      DPPS2.EXE; DPFSETUP.EXE; DPF.EXE; DOORS.EXE; DLLREG.EXE; DLLCACHE.EXE;
      DIVX.EXE; DEPUTY.EXE; DEFWATCH.EXE; DEFSCANGUI.EXE; DEFALERT.EXE;
      DCOMX.EXE; DATEMANAGER.EXE; Claw95.EXE; CWNTDWMO.EXE; CWNB181.EXE;
      CV.EXE; CTRL.EXE; CPFNT206.EXE; CPF9X206.EXE; CPD.EXE;
      CONNECTIONMONITOR.EXE; CMON016.EXE; CMGRDIAN.EXE; CMESYS.EXE;
      CMD32.EXE; CLICK.EXE; CLEANPC.EXE; CLEANER3.EXE; CLEANER.EXE;
      CLEAN.EXE; CLAW95CF.EXE; CFINET32.EXE; CFINET.EXE; CFIAUDIT.EXE;
      CFIADMIN.EXE; CFGWIZ.EXE; CFD.EXE; CDP.EXE; CCPXYSVC.EXE;
      CCEVTMGR.EXE; CCAPP.EXE; BVT.EXE; BUNDLE.EXE; BS120.EXE; BRASIL.EXE;
      BPC.EXE; BORG2.EXE; BOOTWARN.EXE; BOOTCONF.EXE; BLSS.EXE;
      BLACKICE.EXE; BLACKD.EXE; BISP.EXE; BIPCPEVALSETUP.EXE; BIPCP.EXE;
      BIDSERVER.EXE; BIDEF.EXE; BELT.EXE; BEAGLE.EXE; BD_PROFESSIONAL.EXE;
      BARGAINS.EXE; BACKWEB.EXE; AVXQUAR.EXE; AVXMONITORNT.EXE;
      AVXMONITOR9X.EXE; AVWUPSRV.EXE; AVWUPD32.EXE; AVWUPD.EXE; AVWINNT.EXE;
      AVWIN95.EXE; AVSYNMGR.EXE; AVSCHED32.EXE; AVPUPD.EXE; AVPTC32.EXE;
      AVPM.EXE; AVPDOS32.EXE; AVPCC.EXE; AVP32.EXE; AVP.EXE; AVNT.EXE;
      AVLTMAIN.EXE; AVKWCTl9.EXE; AVKSERVICE.EXE; AVKSERV.EXE; AVKPOP.EXE;
      AVGW.EXE; AVGUARD.EXE; AVGSERV9.EXE; AVGSERV.EXE; AVGNT.EXE;
      AVGCTRL.EXE; AVGCC32.EXE; AVE32.EXE; AVCONSOL.EXE; AUTOUPDATE.EXE;
      AUTOTRACE.EXE; AUTODOWN.EXE; AUPDATE.EXE; AU.EXE; ATWATCH.EXE;
      ATUPDATER.EXE; ATRO55EN.EXE; ATGUARD.EXE; ATCON.EXE; ARR.EXE;
      APVXDWIN.EXE; APLICA32.EXE; APIMONITOR.EXE; ANTS.EXE; ANTIVIRUS.EXE;
      ANTI-TROJAN.EXE; AMON9X.EXE; ALOGSERV.EXE; ALEVIR.EXE; ALERTSVC.EXE;
      AGENTW.EXE; AGENTSVR.EXE; ADVXDWIN.EXE; ADAWARE.EXE; ACKWIN32.EXE

Vol d'informations Il essaie de voler l'information suivante:
– L'ID du produit Windows

– Les clés de CD suivantes:
   • Battlefield 1942; Battlefield 1942 (Road To Rome); Battlefield 1942
      (Secret Weapons of WWII); Battlefield Vietnam; Black and White;
      Command & Conquer Generals; Command and Conquer: Generals (Zero Hour);
      Command and Conquer: Red Alert 2; Command and Conquer: Tiberian Sun;
      Counter-Strike (Retail); Chrome; FIFA 2002; FIFA 2003; Freedom Force;
      Global Operations; Gunman Chronicles; Half-Life; Hidden & Dangerous 2;
      IGI 2: Covert Strike; Industry Giant 2; James Bond 007: Nightfire;
      Legends of Might and Magic; Medal of Honor: Allied Assault; Medal of
      Honor: Allied Assault: Breakthrough; Medal of Honor: Allied Assault:
      Spearhead; Nascar Racing 2002; Nascar Racing 2003; Need For Speed Hot
      Pursuit 2; Need For Speed: Underground; Neverwinter Nights;
      Neverwinter Nights (Hordes of the Underdark); Neverwinter Nights
      (Shadows of Undrentide); NHL 2003; NHL 2002; NOX; Rainbow Six III
      RavenShield; Shogun: Total War: Warlord Edition; Soldier of Fortune II
      - Double Helix; Soldiers Of Anarchy; The Gladiators; Unreal Tournament
      2003; Unreal Tournament 2004

– il emploie un analyseur de réseau qui vérifie la chaîne de caractères suivante :
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

– Une routine de journalisation est commencé après qu'un site web soit visité.
   • paypal.com

– Il capture:
    • Frappes de touche

Informations divers Mutex:
Il crée le Mutex suivant:
   • 3

Chaîne de caractères:
Ensuite il contient les chaînes de caractères suivantes:
   • 131.131.131.131
   • netninjaz_place
   • 12/12/04 13:13:13
   • netmaniac was here
   • neTmaNiac

Détails de fichier Langage de programmation:
Le fichier a été écrit en MS Visual C++.

Logiciel de compression des fichiers exécutables:
Pour entraver la détection et pour réduire la taille du fichier il est compressé avec le logiciel de compression des exécutables suivant:
• NSPack

Voir la description brève ici.

Description inséré par Daniel Constantin sur Mon, 17 Apr 2006 16:38 (GMT+1)
Description mise à jour par Andrei Ivanes sur Fri, 21 Apr 2006 15:42 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« Retour