Full description

Nume:	Worm/Levona.A
Descoperit pe data de:	05/07/2006
Tip:	Vierme
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Mediu spre ridicat
Fisier static:	Da
Marime:	43.008 Bytes
MD5:	4d28947f612176e9be3e24202c7a5508
Versiune VDF:	6.35.00.120
Versiune IVDF:	6.35.00.146 - terça-feira, 11 de julho de 2006

General Metode de raspandire:
   • Email
   • Peer to Peer

Alias:
   • Mcafee: W32/Avon@MM
   • Kaspersky: Email-Worm.Win32.Levona.a
   • TrendMicro: WORM_LEVONA.A
   • VirusBuster: iworm I-Worm.Levona.A
   • Eset: Win32/Levona.A worm
   • Bitdefender: Win32.Worm.Levona.A

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\Emma.exe
   • %SYSDIR%\Nova.exe
   • %SYSDIR%\Alisa.exe
   • %WINDIR%\Mstry.exe

   • C:\Program Files\Common Files\Renova.exe
   • D:\Program Files\Common Files\Renova.exe
   • E:\Program Files\Common Files\Renova.exe
   • F:\Program Files\Common Files\Renova.exe
   • G:\Program Files\Common Files\Renova.exe

   • c:\\winnt\regedit.exe
   • c:\windows\regedit.exe
   • c:\winnt\system32\regedit.exe
   • c:\windows\system32\regedit.exe
   • D:\winnt\regedit.exe
   • D:\windows\regedit.exe
   • D:\winnt\system32\regedit.exe
   • D:\windows\system32\regedit.exe
   • E:\winnt\regedit.exe
   • E:\windows\regedit.exe
   • E:\winnt\system32\regedit.exe
   • E:\WINDOWS\system32\regedit.exe
   • F:\WINNT\regedit.exe
   • F:\WINDOWS\regedit.exe
   • F:\WINNT\system32\regedit.exe
   • F:\WINDOWS\system32\regedit.exe
   • G:\WINNT\regedit.exe
   • G:\WINDOWS\regedit.exe
   • G:\WINNT\system32\regedit.exe
   • G:\WINDOWS\system32\regedit.exe

   • c:\windows\System\msconfig.exe
   • c:\windows\system32\msconfig.exe
   • c:\winnt\system32\msconfig.exe

Incearca sa execute urmatoarele fisiere:

– Numele fisierelor:
   • %SYSDIR%\Emma.exe
   • %SYSDIR%\Alisa.exe

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Renova = Nova.exe

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Shell = %PROGRAM FILES%\Common Files\Renova.exe

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Policies\Microsoft\Windows\System]
   • DisableCMD = 0

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • DisableConfig = 1
   • DisableSR = 1

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
   Vechea valoare:
   • ProductName = %setarile utilizatorului%
   • RegisteredOrganization = %setarile utilizatorului%
   • RegisteredOwner = %setarile utilizatorului%
   • ProductId = %setarile utilizatorului%
   Noua valoare:
   • ProductName = RENOVA
   • RegisteredOrganization = XENOVA
   • RegisteredOwner = RENOVA
   • ProductId = RENOVA

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   Vechea valoare:
   • RegisteredOrganization = %setarile utilizatorului%
   • RegisteredOwner = %setarile utilizatorului%
   • ProductId = %setarile utilizatorului%
   • ProductName = %setarile utilizatorului%
   Noua valoare:
   • RegisteredOrganization = XENOVA
   • RegisteredOwner = RENOVA
   • ProductId = RENOVA
   • ProductName = RENOVA

– [HKCU\Control Panel\Desktop]
   Vechea valoare:
   • AutoEndTasks = 0
   Noua valoare:
   • AutoEndTasks = 1

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Vechea valoare:
   • AlternateShell = cmd.exe
   Noua valoare:
   • AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe

– [HKLM\SYSTEM\ControlSet%numar%\Control\SafeBoot]
   Vechea valoare:
   • AlternateShell = cmd.exe
   Noua valoare:
   • AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • Shell = explorer.exe
   • Userinit = explorer.exe
   Noua valoare:
   • Shell = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
   • Userinit = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Noua valoare:
   • DisableRegistryTools = 1
   • DisabletaskMgr = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Microsoft\Windows\
   CurrentVersion\Policies\System]
   Noua valoare:
   • DisableRegistryTools = 1

Diverse setari in Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\HideFileExt]
   Vechea valoare:
   • Type = checked
   Noua valoare:
   • Type =

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\NOHIDDEN]
   Vechea valoare:
   • CheckedValue = %setarile utilizatorului%
   • DefaultValue = %setarile utilizatorului%
   Noua valoare:
   • CheckedValue = 2
   • DefaultValue = 2

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Vechea valoare:
   • CheckedValue = %setarile utilizatorului%
   • DefaultValue = %setarile utilizatorului%
   Noua valoare:
   • CheckedValue = 1
   • DefaultValue = 2

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\HideFileExt]
   Vechea valoare:
   • CheckedValue = %setarile utilizatorului%
   • DefaultValue = %setarile utilizatorului%
   Noua valoare:
   • CheckedValue = 1
   • DefaultValue = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • Hidden = %setarile utilizatorului%
   • HideFileExt = %setarile utilizatorului%
   Noua valoare:
   • Hidden = 2
   • HideFileExt = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Noua valoare:
   • NoDriveTypeAutoRun = 91
   • NoSaveSettings = 0
   • NoFolderOptions = 0
   • NoFind = 1
   • NoRun = 0
   • NoControlPanel = 0

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   Noua valoare:
   • NoFolderOptions = 0
   • NoControlPanel = 0
   • NoFind = 1
   • NoRun = 0

Email Foloseste Messaging Application Programming Interface (MAPI) pentru a trimite raspunsuri la email-urile stocate in Inbox. Iata caracteristicile lui:

De la:
De la: Adresa expeditorului este chiar contul Outlook al utilizatorului

Formatul email-ului:

Catre: %expeditorul original%
Subiect: Re: %subiectul original%
Corp mesaj:
• Sorry, Saya lupa nih :)
Atasament:
• Nova.scr

Atasamentul este o copie malware.

Email-ul arata astfel:

P2P Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii: Extrage fisierul partajat, folosind urmatoarea cheie de registru:
• \Software\Kazaa\Transfer\DlDir0

Terminarea proceselor Lista cu procesele oprite:
   • GUNBLADE.EXE
   • CAV.EXE

Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • RABIAH; RABI'AH; MANTIK; PLATO; KINDI; IMAMAH; MATURID; HARUN NAS;
      IZUTSU; TEOLOGI; SUFI; PARTAI; HASAN ALBANA; IKHWANUL MUSLIMIN;
      TAHRIR; ARISTOTELES; GIBRAN; GHAZALI; IHYA; GENDER; PLURALISME; SYIAH;
      SYI'AH; DEMOCRA; DEMOKRA; LIBERAL; TASAWUF; SAMIR; YUNAN; QUTH;
      EMANSIP; PHILOSOP; MUTAZILAH; MU'TAZILAH; FILOSOF; FILSAFAT;
      REALPLAYER; CLEANER; MOVZX; REMOVER; ZANDA; MACHINE; CILLIN; CILIN;
      AVAST; GRISOFT; PROCEXP; NORTON; EARTHLINK PROTECTION; WASHER;
      ERTANTO; COMPACTBYTEAV; ADVANCED REGISTRY TRACER; KILL; CASTLECOPS;
      SOPHOS; F-SECURE; REGISTRYFIX; PANDA; SECUNIA; TREND; SYMANTEC;
      KASPERSKY; AVG; MCAFEE; NVC; NORMAN; VAKSIN; HACKER; COMMAND PROMPT;
      PROCESS EXPLORER - SYSINTERNALS; SYSTEM32; PCMAV; HIJACK; KILLBOX;
      FOLDER OPTION; CMD; WORM; TROJAN; VIRUS; ANTI; COMMAND BRO!!!; COMMAND
      BRO !!!; JOWOBOT; FAJAR; SATRIO; KANTUK; KANGEN; CUEX; EVANTA; BORAX;
      TITTA; CODE-X; MONTELLA; MONTELA; FERDINAND; CAMPBEL; CRUZ; ADRIANO;
      KAHN; RECOBA; FIGO; RAUL; GONZALES; CISSE; GERRAD; LAMPARD; TERRY;
      RIVALDO; GATUSO; GATTUSO; VAN DE; SHEARER; AIMAR; CLAUDIO; LOPEZ;
      TOLDO; CANNAVARO; NESTA; UMIT; HAKAN; LARSON; LARSSON; ETO O; ETO'O;
      MOVIC; MIDO; FABREGAS; HENRY; BARTHEZ; MANCINI; GILARD; BATIGOL;
      BATISTUA; TOTTI; COLE; OWEN; DIDA; RONALDINHO; TREZEG; ROBINHO;
      CARLOS; ROBERTO; RONALDO; MARADONA; PELE; VIDUKA; SALAS; KEWEL;
      PERUZZI; HOWARD; ZANETI; ZANETTI; GIGGS; ROONEY; BUFFON; VIERI; PIRLO;
      KAKA; ZLATAN; DECO; SHEVA; SHEVCHENKO; INZAGHI; PIERO; BECKHAM; BOCA
      J; BORDEUX; MONACO; MUNICH; MUNCHEN; DORTMUND; LEVERKUSEN; SEVILLA;
      VALENCIA; BARCA; BARCEL; MADRID; PARMA; LAZIO; ROMA; INTER; MILAN;
      JUVE; NEWCASTLE; LIVERPOOL; ARSENAL; CHELSEA; MANCHESTER; CUMBU; KISS;
      CIUM; RAYU; JULIET; ROMEO; VALENTINE; HENTAI; MANGA; ANIM; SUCK; FUCK;
      NAKE; NUDE; TEEN; GIRL; PORN; SEKS; SEX; THOMAS; JEREM; MAYANG S; NIA
      R; ZAYANT; DEWI; ANJASMARA; DIAN S; DIAN N; SOPIA; SOPHIA; MAYANG
      SARI; CUT KEKE; FEBIOLA; FEBY; JIHAN; CUT TARI; RIKE DIAH; WIBOWO;
      SARAH; AZAHRI; AZHARI; RIRIN; RATNASARI; TAMARA; ZUBIR; PRIMUS;
      REVALDO; ENNO LERIAN; ENO LERIAN; DIAH; KADIR; DOYOK; ULFA; KOMENG;
      JENIFER; JENNIFER; DICAPRIO; KRISTIN; ANGELLI; LEONARDO; KATE WIN;
      EMMA WATSON; HARY POTTER; HARRY POTTER; GOSSIP; GOSIP; SASTRA; SENI;
      ARTIS; BOLYWOOD; HOLYWOOD; SINETRON; VAGANZA; CELEBRI; SELEB; TSUBASA;
      SLAM DUNK; SAMURAI-X; SAMURAI X; HATTORI; HATORI; KABUTO; SHIZUKA;
      DORAEMON; NOBITA; INUYASHA; KENSHIN HIMURA; KOTARO MINAMI; KYOKO;
      EMIKO SHIRATORI; FAYE WONG; UEMATSU; NUOBUO; NOUBUO; NOBUO; NUBUO;
      MADONNA; MADONA; BENNINGTON; BENINGTON; GUN AND ROSE; GUN N ROSE;
      BLUR; SAMMY; PEARL; NAZARE; FRENTE; CRANBER; RADIOHEAD; RADIO HEAD;
      STING; SAYBIA; KEANE; GROBAN; ALTER; STEFAN; GWEN; MAROON; ANTHEM;
      GROOVE COVARAGE; PRODIGY; AGUILERA; BEDING; METALLICA; GUN N'ROSES;
      ALICIA KEYS; TATA YOUNG; BOY ZONE; MICHEL; MICHAEL; MICHEAL; MLTR;
      MARTYN; MARTIN; SCORPION; LINKIN PARK; LINKINPARK; GREEN DAY;
      GREENDAY; HOOBASTANK; PETER; WEST; SPICE; BRITNEY; DEDI DOR; NIA
      DANIAT; DAHLIA; NIKE ARD; BAGASKARA; KATON; NAFF; TITIK PUSPA; TITIEK
      PUSPA; DELON; SNADA; JOSHUA; SHERINA; SERIEUS; SERIUES; SEURIUS; 10 2
      5; TENTOFIVE; TEN2FIVE; 10 TO 5; TEN TO FIVE; TEN 2 FIVE; CHRISYE;
      SO7; SHEILA; GLENN; AURIL; AVRIL; OPICK; AGNES; ANANG; NUGIE; HADAD;
      HADDAD; AB THREE; REZA; CAFEIN; CAFFEIN; RATU; RADJA; LALUNA; THE
      RAIN; UTOPIA; SPARK; BASEJAM; ENDANK; JAVA JIVE; MARCEL; BUNGLON;
      ANDRE HEHANU; FLANELA; BAIM; CANDIL; KOES P; MINORU; NUNO; YOVI; AUDY;
      TERE; WAYANG; BASE JAM; JIKUSTIK; SAMSON; PAS BAND; BOOMERANG; NAIF;
      COKELAT; KAPTEN BAND; TIC BAND; JAMRUD; KOTAK BAND; AMERICAN IDOL;
      INDONESIAN IDOL; TEAM LO; BUNGA; TIPE-X; TIPE X; ELEMENT; EMINEM;
      RAIHAN; RAYHAN; MELY; MELLY; UNGU; STINGKY; SLANK; INUL; PADI; IWAN
      FAL; ADABAND; ADA BAND; ROSA; KRISDAYANTI; NURHALIZA; DEWA; ARY LASO;
      ARY LASSO; ARI LASO; ARI LASSO; GIGI; THE 0THERS; CHEER; DANCE; SING;
      SONG; MP 3; MP3; MARAWIS; NASYID; DANGDUT; MELODI; MELODY; SENANDUNG;
      IRAMA; GITAR; GUITAR; NYANYI; LAGU; WINAMP; MUSIK; MUSIC; DANIAT;
      PHILOSO; FUNNY; MALAS; SOUND; JPG; JPEG; RAGNAROK; FANTASY; IKHWANUL;
      ARISTO; PLURAL; GAME; DEMOC; DEMOK; FAKE; NORWE; REMOVE; PROTECT;
      COMPACT; REGISTRY; CASTLE; SOPH; SECUR; MCAFE; DEEP; HIJA; VIR; CRACK;
      HACK; ACT; BECK; GAMB; FOTO; PHOTO; KASIH; TUNANG; PACAR; CINTA; LOVE;
      JULIE; ROME; VALENT; LEONARD; KATE W; EMMA WAT; HARY; POTTER; HARRY;
      ART; BOLY; HOLY; SINE; EMIKO; WONG; FAYE; UEMA; NUO; NOB; NUB; MADO;
      BENING; BENNING; ROSE; GUN; ZONE; BOY; MICH; MART; SCORP; LINKIN;
      GREEN; HOOB; RIF; DEDI D; NIKE; PUSPA; JOSH; SHERIN; TEN TO; TEN 2;
      CHRIS; POTRET; NUGI; AUDI; AMERICA; ELEMEN; DANG

Cauta in memoria proceselor active urmatoarele siruri de caractere. Daca gaseste sirul, procesele respective sunt terminate:
   • XMPLAYER.EXE; REALPLAY.EXE; ACDSEE.EXE; ALOGSERV.EXE; CM GRDIAN.EXE;
      CMGRDIAN.EXE; RULAUNCH.EXE; VSMAIN.EXE; AVPCC.EXE; AVPM.EXE;
      AVP32.EXE; AVWUPSRV.EXE; AVGNT.EXE; AVWIN.EXE; AVGEMC.EXE; AVGWB.DAT;
      AVGCC.EXE; TROJAN GUARDER.EXE; ASHSIMPL.EXE; ASHQUICK.EXE; OPERA.EXE;
      FIREFOX.EXE; IEXPLORE.EXE; TASKMGR.EXE; EMUSICCLIENT.EXE; ART.EXE;
      NAVW32.EXE; CCLAW.EXE; NVCOD.EXE; WINAMP.EXE

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • CompactbyteAV; Advanced Registry Tracer; Setup - iKnowPS; iKnowPS;
      RamCleaner; System Cleaner; TuneUp RegistryCleaner; Antivirus Scanner;
      Zanda's little helper; Norman Generic Fix; NVC v5.81 Setup; Norman
      Virus Control - InstallShield Wizard; Process Explorer - Sysinternals:
      www.sysinternals.com; Pocket Killbox; RegCleaner 4.1 by Jouni Vuorio;
      Security Task Manager Versi shareware tanpa registrasi; Security Task
      Manager; Installation; EULA; PowerDVD; Windows Media Player; Microsoft
      Configuration Utility; System Restore; System Configuration Utility;
      Restrictions; Registry Editor; Close Programs; Close Program; Task
      Manager; Windows Script Host; HijackThis; HijackThis - v1.99.1;
      Getting Started with Windows 2000; Folder Options

Alte informatii Mutex:
Creeaza urmatorii mutecsi:
• Renova Aliciana
• Renova Emira

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• UPX

Descrição enviada por Andrei Gherman em terça-feira, 18 de julho de 2006
Descrição atualizada por Andrei Gherman em quarta-feira, 19 de julho de 2006

Voltar . . . .

Proteçao especial para PCs

Produtos gratuitos

Produtos mais populares

Todos os produtos

Soluçoes em pacote

Estaçoes de trabalho

Server

Soluçoes em pacote

Mail Gateways

Web Gateways

Plataformas de colaboraçao

Usuários domésticos

Empresas

Laboratório de vírus

Mais suporte

Seja um parceiro Avira

Usuários domésticos

Empresas

Deseja apenas experimentar um produto?

Manuais e ferramentas