Nome del virus:BDS/Sdbot.A.4
Scoperto:16/10/2007
Tipo:Backdoor Server
In circolazione (ITW):Si
Numero delle infezioni segnalate:Basso
Potenziale di propagazione:Medio
Potenziale di danni:Medio
File statico:Si
Dimensione del file:192.000 Byte
Somma di controllo MD5:15ecf1e5ed645ca952204dae7fe7fd56
Versione VDF:7.00.00.91
Versione IVDF:7.00.00.96 - martedì 16 ottobre 2007

 Generale Metodo di propagazione:
   • Rete locale


Alias:
   •  Kaspersky: Backdoor.Win32.Rbot.bmo
   •  Sophos: W32/Sdbot-CSV
   •  VirusBuster: Worm.Rbot.IRL
   •  Eset: Win32/Rbot trojan
   •  Bitdefender: Backdoor.Rbot.BMO


Piattaforme / Sistemi operativi:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Effetti secondari:
   • Disattiva le applicazioni di sicurezza
   • Registra le battute di tastiera
   • Modifica del registro
   • Sfrutta la vulnerabilità del software
   • Sottrae informazioni
   • Accesso e controllo del computer da parte di terzi

 File Si copia alla seguente posizione:
   • %SYSDIR%\IRQconf.exe



Cancella la copia di se stesso eseguita inizialmente.



Vengono creati i seguenti file:

– c:\a.bat Viene eseguito ulteriormente dopo che è stato completamente creato. Riconosciuto come: BAT/REG.Zapchast

– C:\DOCUME~1\name1252\LOCALS~1\Temp\1.reg Viene eseguito ulteriormente dopo che è stato completamente creato. Contiene parametri utilizzati dal malware. Riconosciuto come: TR/TCPParams.D.3

 Registro Le seguenti chiavi di registro sono aggiunte continuamente in un loop infinito, con lo scopo di eseguire il processo dopo il riavvio.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "IRQ Assigning Agent"="IRQconf.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "IRQ Assigning Agent"="IRQconf.exe"



Viene aggiunta la seguente chiave di registro:

– [HKCU\Software\Microsoft\OLE]
   • "IRQ Assigning Agent"="IRQconf.exe"



Vengono cambiate le seguenti chiavi di registro:

Disattiva il firewall di Windows:
– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess]
   Valore precedente:
   • Start=dword:00000002
   Nuovo valore:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   Valore precedente:
   • Start=dword:00000002
   Nuovo valore:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Valore precedente:
   • Start=dword:00000002
   Nuovo valore:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Control\Lsa]
   Valore precedente:
   • "restrictanonymous"=%impostazioni definite dell'utente%
   Nuovo valore:
   • restrictanonymous=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server]
   Nuovo valore:
   • Enabled=hex:00

– [HKLM\SOFTWARE\Microsoft\Ole]
   Valore precedente:
   • EnableDCOM=%impostazioni definite dell'utente%
   Nuovo valore:
   • EnableDCOM="N"
     EnableRemoteConnect="N"
     

– [HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters]
   Nuovo valore:
   • AutoShareWks=dword:00000000
     AutoShareServer=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Nuovo valore:
   • MaxConnectionsPer1_0Server=dword:00000050
     MaxConnectionsPerServer=dword:00000050

– [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
   Nuovo valore:
   • "NameServer"=""
     "ForwardBroadcasts"=dword:00000000
     "IPEnableRouter"=dword:00000000
     "Domain"=""
     "SearchList"=""
     "UseDomainNameDevolution"=dword:00000001
     "EnableICMPRedirect"=dword:00000000
     "DeadGWDetectDefault"=dword:00000001
     "DontAddDefaultGatewayDefault"=dword:00000000
     "EnableSecurityFilters"=dword:00000001
     "AllowUnqualifiedQuery"=dword:00000000
     "PrioritizeRecordData"=dword:00000001
     "TCP1320Opts"=dword:00000003
     "KeepAliveTime"=dword:00023280
     "BcastQueryTimeout"=dword:000002ee
     "BcastNameQueryCount"=dword:00000001
     "CacheTimeout"=dword:0000ea60
     "Size/Small/Medium/Large"=dword:00000003
     "LargeBufferSize"=dword:00001000
     "SynAckProtect"=dword:00000002
     "PerformRouterDiscovery"=dword:00000000
     "EnablePMTUBHDetect"=dword:00000000
     "FastSendDatagramThreshold "=dword:00000400
     "StandardAddressLength "=dword:00000018
     "DefaultReceiveWindow "=dword:00004000
     "DefaultSendWindow"=dword:00004000
     "BufferMultiplier"=dword:00000200
     "PriorityBoost"=dword:00000002
     "IrpStackSize"=dword:00000004
     "IgnorePushBitOnReceives"=dword:00000000
     "DisableAddressSharing"=dword:00000000
     "AllowUserRawAccess"=dword:00000000
     "DisableRawSecurity"=dword:00000000
     "DynamicBacklogGrowthDelta"=dword:00000032
     "FastCopyReceiveThreshold"=dword:00000400
     "LargeBufferListDepth"=dword:0000000a
     "MaxActiveTransmitFileCount"=dword:00000002
     "MaxFastTransmit"=dword:00000040
     "OverheadChargeGranularity"=dword:00000001
     "SmallBufferListDepth"=dword:00000020
     "SmallerBufferSize"=dword:00000080
     "TransmitWorker"=dword:00000020
     "DNSQueryTimeouts" =%valori esadecimali%
     "DefaultRegistrationTTL"=dword:00000014
     "DisableReplaceAddressesInConflicts"=dword:00000000
     "DisableReverseAddressRegistrations"=dword:00000001
     "UpdateSecurityLevel "=dword:00000000
     "DisjointNameSpace"=dword:00000001
     "QueryIpMatching"=dword:00000000
     "NoNameReleaseOnDemand"=dword:00000001
     "EnableDeadGWDetect"=dword:00000000
     "EnableFastRouteLookup"=dword:00000001
     "MaxFreeTcbs"=dword:000007d0
     "MaxHashTableSize"=dword:00000800
     "SackOpts"=dword:00000001
     "Tcp1323Opts"=dword:00000003
     "TcpMaxDupAcks"=dword:00000001
     "TcpRecvSegmentSize"=dword:00000585
     "TcpSendSegmentSize"=dword:00000585
     "TcpWindowSize"=dword:0007d200
     "DefaultTTL"=dword:00000030
     "TcpMaxHalfOpen"=dword:0000004b
     "TcpMaxHalfOpenRetried"=dword:00000050
     "TcpTimedWaitDelay"=dword:00000000
     "MaxNormLookupMemory"=dword:00030d40
     "FFPControlFlags"=dword:00000001
     "FFPFastForwardingCacheSize"=dword:00030d40
     "MaxForwardBufferMemory"=dword:00019df7
     "MaxFreeTWTcbs"=dword:000007d0
     "GlobalMaxTcpWindowSize"=dword:0007d200
     "EnablePMTUDiscovery"=dword:00000001
     "ForwardBufferMemory"=dword:00019df7

 “Infezione” della rete Per assicurarsi la propria propagazione, il malware tenta di connettersi ad altre macchine come descritto qui sotto:

Fa una copia di se stesso nella seguente condivisione di rete:
   • % all network shares%


Utilizza le seguenti informazioni di login per aprirsi l'accesso alla macchina remota:

– Una lista di Nomi utente e Password:
   • Administrator; administrator; administrador; administrateur;
      administrat; admins; admin; staff; root; computer; owner; student;
      teacher; wwwadmin; guest; default; database; dba; oracle; db2;
      ADMINISTRATOR; Administrator; administrator; fubar; bla; GUEST; ROOT;
      root; ADMIN; PASSWORD; TEMP; SHARE; WRITE; FULL; ladeda; BOTH; READ;
      FILES; DEMO; OWNER; Owner; edu; TEST; ACCESS; USER; BACKUP; SYSTEM;
      SERVER; pepsi; LOCAL; unix; linux; changeme; Changeme; temp123; 31;
      12; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789; 654321;
      54321; 111; 11111111; 88888888; pass; passwd; database; abcd; abc123;
      oracle; sybase; 123qwe; computer; Internet; super; 123asd;
      ihavenopass; godblessyou; enable; xp; 2002; 2003; 2600; 110; 111111;
      121212; 123123; 1234qwer; 123abc; 007; alpha; patrick; pat; sex; god;
      foobar; Nilez; devil; netdevil; net-devil; 0wned; owned; irule;
      netfuck; fucked; crash; aaa; abc; test123; win; pc; asdf; secret;
      qwer; yxcv; zxcv; home; login; pwd; love; mypc; mypc123; admin123;
      pw123; mypass; mypass123; pw; Mat; Matt; Matthew; gobo; satan;
      satanik; satanic; spaceman; heaven; w00t; 0wn3d; killer; leet; l33t;
      l337; hacker; hax0r; script; scriptkiddie; kiddie; mirc; uwontguessme;
      youwontguessme; guessme; ex; xx; xxx; xxxx; xxxxx; xxxxxx; xxxxxxx;
      xxxxxxxx; xxxxxxxxx; 00; death; testing; 000; 0000; 00000; 000000;
      academia; academic; accept; account; action; adam; adrian; adrianna;
      adult; aerobics; aids; airplane; alaska; albany; albatros; albert;
      alert; alex; alexande; algebra; alias; aliases; alice; alicia; alisa;
      alison; allison; allow; alphabet; amadeus; amanda; amber; america;
      amorphou; anal; analog; anarchis; anarchy; anchor; andrea; android;
      andromac; andy; anfo; angela; angerine; angie; animal; animals; anita;
      anna; anne; annette; anon; anonymou; answer; anthrax; anthropo;
      anvils; anything; apollo13; april; aria; ariadne; arlene; army; arrow;
      arthur; artist; asian; asshole; athena; atmosphe; atom; attack;
      authoriz; aztecs; azure; babe; baby; bacchus; backdoor; badass;
      bailey; ball; banana; bananas; bandit; bank; banks; barbara; barber;
      bare; barf; baritone; bart; bartman; baseball; basic; bass; bassoon;
      batch; batman; beach; beammeup; bear; beast; beater; beauty; beaver;
      becky; beethove; begin; behead; bell; beloved; benz; beowulf;
      berkeley; berlin; berliner; beryl; beta; beth; betsie; betty; beverly;
      bible; bicamera; bigfoot; bill; binary; bios; bird; bishop; bitch;
      bitmap; bitnet; black; blonde; blondie; blood; bloodaxe; blow;
      blowjob; blue; blues; board; bomb; boner; boob; boobs; book; born;
      boyscout; bradley; brandi; brandy; bravo; break; breast; brenda;
      brian; bridget; broadway; brothel; brunette; brute; brutefor; bulls;
      bullshit; bumbling; bung; burgess; burn; butch; butt; butthead;
      californ; camille; campanil; camping; candi; candy; cantor; captain;
      capture; card; cardinal; caren; carla; carmen; carol; carole;
      carolina; caroline; carrie; carson; cascades; cash; castle; catherin;
      catholic; cathy; cave; cayuga; cecily; celt; celtic; celtics;
      cerulean; change; charity; charles; charlie; charming; charon; chat;
      chem; chemistr; chess; chester; chip; chris; christin; christy; cigar;
      cigarett; cindy; class; classes; classic; claudia; claymore; cleavage;
      clinton; cluster; clusters; coast; cocacola; cocainco; cock; code;
      codename; codeword; coffee; coin; coke; cola; cold; collins; color;
      combat; comics; commit; commrade; company; computin; comrade;
      comrades; condo; condom; connect; connie; conserva; console; continue;
      cook; cookbook; cookie; cool; cooper; copper; cops; copy; corneliu;
      correct; counters; country; couscous; cowboy; crack; crackpot; cream;
      create; creation; creature; credit; creosote; cretin; crime; criminal;
      cristina; crystal; cshrc; cunt; customer; cyber; cyberpun; cyberspa;
      cynthia; daemon; daisy; dana; dancer; daniel; danielle; danny; dapper;
      dark; darkaven; data; dave; dawn; dead; deathsta; debbie; deborah;
      debug; december; deck; default; DEFAULT; defoe; delta; deluge;
      democrat; denise; dennis; desiree; desk; desktop; desperat; develop;
      device; dial; diamond; diana; diane; dice; dick; diehard; diet;
      dieter; digital; dinosaur; dipshit; direct; director; dirty; disc;
      discipli; disclose; discover; disk; diskette; disney; display; doctor;
      dollar; dong; doom; doom2; doomii; doomsday; doonesbu; door; doors;
      dope; download; dragon; drdoom; drive; drought; duck; dude; duelist;
      duke; dulce; duncan; dungeon; dyke; eager; eagle; earth; easier; easy;
      eatme; echo; eddie; edges; edinburg; edit; edition; education;
      educatio; edwin; edwina; egghead; eiderdow; eileen; einsiein;
      einstein; elaine; elanor; electron; elephant; elizabet; ellen; email;
      emerald; emily; emmanuel; enemy; engine; engineer; england; english;
      enter; enterpri; enzyme; erenity; eric; erica; erika; erin; erotic;
      ersatz; establis; estate; eternity; euclid; evelyn; expert; explode;
      explore; explorer; explosiv; extensio; fairway; faith; falcon; false;
      family; farad; faraday; fart; fast; fear; feds; felicia; fender;
      fermat; ferrari; fidelity; field; fight; file; finite; fire; firewall;
      fishers; flakes; float; florida; flower; flowers; food; fool;
      foolproo; football; force; ford; foresigh; forever; form; format;
      fornicat; forsythe; fourier; foxtrot; france; frank; freak; fred;
      free; freedom; french; friday; friend; friends; frighten; frog;
      fryguy; fuck; fucker; fucking; fuckme; fuckyou; fudge; function;
      fungible; gabriel; games; gardner; garfield; gateway; gatherin; gatt;
      gauss; george; germ; gertrude; ghost; gibson; gigabyte; gina; ginger;
      girl; glacier; gold; golden; golf; golfer; good; gorgeous; gorges;
      gosling; gouge; govermen; grades; graham; grahm; grand; grant; great;
      green; group; gryphon; guardian; gucci; guess; guitar; gumption;
      guntis; hack; hacked; hagar; hair; hallowee; hamlet; hamster; handel;
      handily; handjob; happenin; hard; hardcore; harddriv; harmony; harold;
      harvey; hate; haven; hawaii; head; headbang; heat; heathen; heather;
      hebrides; heidi; heinlein; hell; hello; help; herb; herbert; hero;
      heroin; hewlett; hexadeci; hiawatha; hibernia; hidden; high; highland;
      hitler; hits; hole; holly; hollywoo; homepage; homer; homework; honey;
      hooker; hooters; horny; horrible; horror; horse; horus; host; hotdog;
      hotel; http; hunt; hunter; hutchins; hydrogen; hyper; hypertxt;
      icecream; illumina; image; imbrogli; immortal; imperial; include;
      india; indian; indiana; indians; ingres; ingress; ingrid; inna;
      innocuou; input; inside; integer; invent; irene; irishman; isis;
      jackie; jail; jane; janet; janice; janie; japan; jasmin; java; jazz;
      jean; jeanne; jeff; jenni; jennifer; jenny; jerry; jerusale; jessica;
      jester; jewelry; jill; jixian; joanne; jody; john; johndoe; johnny;
      joseph; joshua; journal; joyce; judith; judy; juggle; juicy; julia;
      julie; juliet; june; jupiter; kaka; karen; karie; karina; katana;
      kate; kathleen; kathrine; kathy; katina; katrina; kelly; keri; kermit;
      kernel; kerri; kerrie; kerry; kevin; kewl; keybord; keyin; keyword;
      kids; kill; killthem; kilo; kimberly; king; kirk; kirkland; kiss;
      kissmyas; kitten; klingon; knife; knight; knightma; known; krista;
      kristen; kristi; kristie; kristin; kristine; kristy; ladies; ladle;
      lakers; lambda; laminati; lana; laptop; lara; larkin; larry; laser;
      laura; lava; lazarus; lazer; leah; lebesgue; left; leftwing; legal;
      leland; leroy; lesbian; leslie; letmein; lewis; lexluthe; liberal;
      library; lick; licker; life; light; lightsab; lima; limbaugh; limited;
      linda; link; lion; lips; lisa; lisp; literatu; live; load; lock;
      lockout; lockword; logic; loginwor; logout; lois; lolopc; loose; lore;
      lori; lorin; lorraine; loser; louis; lovebug; lover; luck; lucus;
      lucy; lude; luke; lust; lynn; lynne; machine; macintos; mack; macro;
      maggot; magic; magnet; mail; maint; malcolm; malcom; mana; manager;
      mara; marci; marcy; maria; mariens; marietta; marijuan; marines; mark;
      markus; marni; marriage; mars; marty; marvin; mary; mason; master;
      math; maurice; meagan; megabyte; megadeth; megan; melissa; mellon;
      melrose; member; memory; menace; menu; mercury; merlin; metal;
      metalhea; metalica; mets; mice; michael; michel; michelan; michele;
      michelle; mickey; micro; microchi; micropro; microsof; midieval; mike;
      mine; minimum; minsky; misfit; mission; mkii; mode; modem; mogul;
      moguls; monday; monica; moom; moor; moose; more; morley; morris;
      mortal; mortalco; mortgage; mosaic; mountain; mouse; move; movie;
      movies; mozart; mpeg; msdos; muppets; mutant; nagel; name; nancy;
      napoleon; nasa; navy; nepenthe; neptune; ness; netscape; network;
      newborn; news; newsgrou; newton; newyork; next; nice; nicole;
      nicotine; night; nightmar; nintendo; nita; nnaacp; noble; nobody;
      node; noreen; notes; noth; nova; novel; november; noxious; nuclear;
      nude; nuke; nukem; null; number; nutritio; nuts; nyquist; obscurit;
      oceanogr; ocelot; office; okay; oldage; olivetti; olivia; omega; open;
      opening; openlock; opensesa; operator; orca; orient; orwell; oscar;
      osiris; outdoors; outlaw; output; outside; oxford; pacific; packard;
      packer; painless; paint; pakistan; pamela; papa; paper; papers;
      pascal; passphra; paste; patricia; patriot; patty; paula; peanuts;
      pecker; pencil; penelope; penguin; penis; penname; pentagon; pentagra;
      penthous; pentium; peoria; pepper; percolat; perfect; permit;
      persimmo; persona; pervert; pete; peter; phil; philip; phoenix; phone;
      photon; phrack; phrase; phreak; phuck; pick; pierre; pimp; pinname;
      piss; pizza; plane; playboy; plover; pluto; plymouth; poetry; police;
      polly; polynomi; ponderin; poop; poor; pork; porn; porno; porsche;
      post; poster; power; praise; precious; prelude; presto; prince;
      princeto; printer; priv; private; privs; proceed; processo; professo;
      profile; program; prompt; protect; protozoa; psycho; psychopa; public;
      puck; puke; pumpkin; puneet; punisher; punk; puppet; pussy; quebec;
      qwert; qwerty; rabbit; rachel; rachelle; rachmani; raid; rain;
      rainbow; raindrop; raleigh; random; rape; rascal; razor; reagan;
      reality; really; ream; reaper; rebal; rebecca; rebel; record; reddawn;
      redhead; referenc; regional; release; remote; renee; reno; rent;
      report; republic; resistan; reveal; rhino; rich; rick; riffraff;
      right; rightwin; ring; riot; ripple; risc; roach; robert; robin;
      robot; robotics; robyn; rochelle; rocheste; rock; rocky; rockyhor;
      rodent; rolex; romano; romeo; romulan; ronald; rose; rosebud;
      rosemary; roses; rough; rubber; ruben; ruby; rude; rules; running;
      rush; ruth; safe; salami; sale; salt; samantha; sample; sandra; sandy;
      sara; sarah; saturday; saturn; saxon; scamper; scheme; school;
      schoolsucks; scifi; scorpion; scott; scotty; scout; search; security;
      seed; sega; sensor; sentinel; sentry; serenity; serial; service;
      sesame; sexy; shannon; sharc; shark; sharks; sharon; sheffiel;
      sheldon; shell; sherri; shift; shirley; shit; shitpot; shiva; shivers;
      short; shuttle; sick; sierra; signatur; silver; simcity; simon;
      simple; simpsons; simulati; singer; single; site; skull; slave; slick;
      sliders; slow; slut; small; smart; smile; smiles; smooch; smother;
      smtp; smut; snach; snafu; snake; snatch; snoopy; soap; social;
      socrates; sodomy; soft; software; somebody; sondra; sonia; sonic;
      sonya; sossina; source; south; spaceshi; sparrows; spear; spell;
      spice; spider; spiderma; spit; spred; spring; springer; spunk;
      squires; sr71; stacey; staci; stacie; stacy; star; starship; start;
      startrek; startup; starwars; steak; steal; steel; steph; stephani;
      stereo; steve; stoneage; stoned; stones; strange; strangle; stratfor;
      streetfi; string; strip; student; stuttgar; subscrib; subway; success;
      suck; suckmydi; sucks; summer; sunday; superman; superson; supersta;
      superuse; supervis; support; supporte; surfer; surfing; susan;
      susanne; susie; suzanne; suzie; swearer; sweat; switch; sword; sybil;
      symmetry; sysadmin; sysop; tabasco; talk; tall; tamara; tami; tamie;
      tammy; tangerin; tango; tape; tara; target; tarragon; taylor; teacher;
      team; teapot; tears; tech; teen; teenage; telephon; telnet; temptati;
      tennis; tera; terminal; terminat; tess; tetris; text; thailand;
      theresa; thin; thursday; tiffany; tiger; time; tina; tits; toad;
      toggle; token; tokenrin; tomato; topograp; tortoise; toxic; toyota;
      traci; tracie; tracy; trails; transfer; trap; trapdoor; tree; trek;
      trisha; trivial; trojan; trombone; tron; true; truth; tubas; tuesday;
      turn; tuttle; ugly; umesh; uncle; undo; unhappy; unicorn; uniform;
      universa; universe; universi; unknown; unlock; upload; uranus; urchin;
      ursula; usenet; usermane; username; usmc; util; utility; uucp; vagina;
      valerie; vampire; vasant; venus; veronica; vertigo; vicky; victor;
      video; videogam; village; virgin; virginia; virus; visitor; visual;
      visualba; vodka; waco; ward; warez; warfare; wargames; warp; warren;
      wasp; watchwor; water; wave; webpage; wednesda; weed; weenie; well;
      wendi; wendy; werewolf; west; western; whatever; whatnot; whisky;
      white; whiting; whitney; wholesal; whore; will; william; williams;
      willie; wilma; windows; wine; wing; winston; wired; wisconsi; wiseass;
      within; wizard; wolf; wolverin; woman; wombat; women; wood; woodwind;
      word; wordperf; worf; work; worm; wormwood; wwii; wyoming; xena; xfer;
      xman; xmen; xmodem; xray; xyzzy; yaco; yang; yankee; yellow; yellowst;
      yolanda; yosemite; young; zebra; zeitgeis; ziggy; zimmerma; zmodem;
      zombie; zulu; 00000000; tester; testin; Ross; Rosco; RoscoP;
      RoscoPColtrane; lol; d00d; dudette; dud3; Al3x; Alexander; donaldduck;
      wileecoyote; windowz; windoze; windose; billy; M$; MS; WindowsXP;
      windows2k; windowsME; windows98; windows95; windozexp; windoze2k;
      windozeME; windoze98; windoze95; wh0r3; ho; wh0re; hax; haxing;
      h4x1ng; h4x0r1ng; h4x0ring; ada; albatross; alf; ama; amorphous; amy;
      andromache; ann; anthropogenic; asd; asm; atmosphere; beethoven;
      bicameral; bob; bsd; cad; campanile; cat; catherine; chemistry;
      christina; christine; commrades; cornelius; deb; desperate; discovery;
      dog; dos; edinburgh; eiderdown; elizabeth; enterprise; establish;
      extension; foolproof; foresight; fun; gnu; hal; happening; ibm;
      imbroglio; innocuous; jen; joy; key; kim; lamination; lee; liz;
      macintosh; mgr; mit; net; new; nutrition; oceanography; pad; pam;
      percolate; persimmon; polynomial; pondering; princeton; professor;
      pub; rachmaninoff; rje; rochester; sal; sheffield; signature;
      stephanie; stratford; stuttgart; sun; superstage; superuser;
      supported; sys; tangerine; telephone; temptation; topography; tty;
      wholesale; williamsburg; wisconsin; xyz; yellowstone; zap; zimmerman



Exploit:
Sfrutta la seguente vulnerabilità:
– MS06-040 (Vulnerability in Server Service)
– NetDevil backdoor (port 903)


Processo virale:
Crea uno script TFTP sulla macchina compromessa per scaricare il malware nella posizione remota.


Esecuzione remota:
–Tenta di pianificare una esecuzione remota del malware, sulla macchina “infettata” recentemente. Per fare questo utilizza la funzione NetScheduleJobAdd.

 IRC Per inviare informazioni sul sistema e per fornire il controllo remoto, si connette al seguente server IRC:

Server: 100.FelonyProductions.**********
Porta: 8372
Canale: #$$$$#
Nickname: soldier
Password: og


– In più ha la capacità di effettuare azioni quali:
    • connettere al server IRC
    • Disattivare le condivisioni di rete
    • disconnettere dal server IRC
    • Download di file
    • Attivare le condivisioni di rete
    • Connettersi al canale IRC
    • Abbandonare il canale IRC
    • Eseguire un attacco DdoS
    • Effettuare un reindirizzamento delle porte
    • Iniziare procedura di diffusione
    • Aggiornarsi

 Sottrazione di informazioni – Utilizza uno sniffer di rete che verifica la presenza delle seguenti stringhe:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

– Dopo aver digitato con la tastiera una stringa che corrisponde alla seguente, viene avviata una procedura di “tracciamento”:
   • paypal

– Cattura:
    • Battute di tastiera

– Dopo aver visitato un sito web viene avviata una procedura di “tracciamento”:
   • paypal.com

– Cattura:
    • Informazioni di login

 Varie Mutex:
Crea il seguente Mutex:
   • 7x4556326

 Dettagli del file Linguaggio di programmazione:
 Il malware è stato scritto in MS Visual C++.


Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con un software di compressione.

Descrizione inserita da Ana Maria Niculescu su giovedì 22 novembre 2007
Descrizione aggiornata da Ana Maria Niculescu su venerdì 23 novembre 2007

Indietro . . . .