VírusBDS/Sdbot.A.4
Data em que surgiu:16/10/2007
Tipo:Servidor Backdoor
Incluído na lista "In The Wild"Sim
Nível de danos:Baixo
Nível de distribuição:Médio
Nível de risco:Médio
Ficheiro estático:Sim
Tamanho:192.000 Bytes
MD5 checksum:15ecf1e5ed645ca952204dae7fe7fd56
Versão VDF:7.00.00.91
Versão IVDF:7.00.00.96 - terça-feira, 16 de outubro de 2007

 Vulgarmente Meio de transmissão:
   • Rede local


Alias:
   •  Kaspersky: Backdoor.Win32.Rbot.bmo
   •  Sophos: W32/Sdbot-CSV
   •  VirusBuster: Worm.Rbot.IRL
   •  Eset: Win32/Rbot trojan
   •  Bitdefender: Backdoor.Rbot.BMO


Sistemas Operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efeitos secundários:
   • Desactiva aplicações de segurança
   • Guarda as teclas digitadas
   • Altera o registo do Windows
   • Aproveita-se de vulnerabilidades do software
   • Informação de roubos
   • Possibilita acesso não autorizado ao computador

 Ficheiros Autocopia-se para a seguinte localização:
   • %SYSDIR%\IRQconf.exe



Apaga a cópia executada inicialmente.



São criados os seguintes ficheiros:

– c:\a.bat Além disso executa-se depois de gerado. Detectado como: BAT/REG.Zapchast

– C:\DOCUME~1\name1252\LOCALS~1\Temp\1.reg Além disso executa-se depois de gerado. Contém parâmetros utilizados pelo malware. Detectado como: TR/TCPParams.D.3

 Registry (Registo do Windows) As chaves seguintes são adicionadas (num loop infinito) ao registo, para executar os processos depois de reinicializar.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "IRQ Assigning Agent"="IRQconf.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "IRQ Assigning Agent"="IRQconf.exe"



É adicionada a seguinte chave de registo:

– [HKCU\Software\Microsoft\OLE]
   • "IRQ Assigning Agent"="IRQconf.exe"



Altera as seguintes chaves de registo do Windows:

Desactiva a Firewall do Windows
– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess]
   Valor anterior:
   • Start=dword:00000002
   Valor recente:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   Valor anterior:
   • Start=dword:00000002
   Valor recente:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   Valor anterior:
   • Start=dword:00000002
   Valor recente:
   • Start=dword:00000004

– [HKLM\SYSTEM\ControlSet001\Control\Lsa]
   Valor anterior:
   • "restrictanonymous"=%definições do utilizador %
   Valor recente:
   • restrictanonymous=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\
   Protocols\PCT1.0\Server]
   Valor recente:
   • Enabled=hex:00

– [HKLM\SOFTWARE\Microsoft\Ole]
   Valor anterior:
   • EnableDCOM=%definições do utilizador %
   Valor recente:
   • EnableDCOM="N"
     EnableRemoteConnect="N"
     

– [HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters]
   Valor recente:
   • AutoShareWks=dword:00000000
     AutoShareServer=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Valor recente:
   • MaxConnectionsPer1_0Server=dword:00000050
     MaxConnectionsPerServer=dword:00000050

– [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
   Valor recente:
   • "NameServer"=""
     "ForwardBroadcasts"=dword:00000000
     "IPEnableRouter"=dword:00000000
     "Domain"=""
     "SearchList"=""
     "UseDomainNameDevolution"=dword:00000001
     "EnableICMPRedirect"=dword:00000000
     "DeadGWDetectDefault"=dword:00000001
     "DontAddDefaultGatewayDefault"=dword:00000000
     "EnableSecurityFilters"=dword:00000001
     "AllowUnqualifiedQuery"=dword:00000000
     "PrioritizeRecordData"=dword:00000001
     "TCP1320Opts"=dword:00000003
     "KeepAliveTime"=dword:00023280
     "BcastQueryTimeout"=dword:000002ee
     "BcastNameQueryCount"=dword:00000001
     "CacheTimeout"=dword:0000ea60
     "Size/Small/Medium/Large"=dword:00000003
     "LargeBufferSize"=dword:00001000
     "SynAckProtect"=dword:00000002
     "PerformRouterDiscovery"=dword:00000000
     "EnablePMTUBHDetect"=dword:00000000
     "FastSendDatagramThreshold "=dword:00000400
     "StandardAddressLength "=dword:00000018
     "DefaultReceiveWindow "=dword:00004000
     "DefaultSendWindow"=dword:00004000
     "BufferMultiplier"=dword:00000200
     "PriorityBoost"=dword:00000002
     "IrpStackSize"=dword:00000004
     "IgnorePushBitOnReceives"=dword:00000000
     "DisableAddressSharing"=dword:00000000
     "AllowUserRawAccess"=dword:00000000
     "DisableRawSecurity"=dword:00000000
     "DynamicBacklogGrowthDelta"=dword:00000032
     "FastCopyReceiveThreshold"=dword:00000400
     "LargeBufferListDepth"=dword:0000000a
     "MaxActiveTransmitFileCount"=dword:00000002
     "MaxFastTransmit"=dword:00000040
     "OverheadChargeGranularity"=dword:00000001
     "SmallBufferListDepth"=dword:00000020
     "SmallerBufferSize"=dword:00000080
     "TransmitWorker"=dword:00000020
     "DNSQueryTimeouts" =%valores hex%
     "DefaultRegistrationTTL"=dword:00000014
     "DisableReplaceAddressesInConflicts"=dword:00000000
     "DisableReverseAddressRegistrations"=dword:00000001
     "UpdateSecurityLevel "=dword:00000000
     "DisjointNameSpace"=dword:00000001
     "QueryIpMatching"=dword:00000000
     "NoNameReleaseOnDemand"=dword:00000001
     "EnableDeadGWDetect"=dword:00000000
     "EnableFastRouteLookup"=dword:00000001
     "MaxFreeTcbs"=dword:000007d0
     "MaxHashTableSize"=dword:00000800
     "SackOpts"=dword:00000001
     "Tcp1323Opts"=dword:00000003
     "TcpMaxDupAcks"=dword:00000001
     "TcpRecvSegmentSize"=dword:00000585
     "TcpSendSegmentSize"=dword:00000585
     "TcpWindowSize"=dword:0007d200
     "DefaultTTL"=dword:00000030
     "TcpMaxHalfOpen"=dword:0000004b
     "TcpMaxHalfOpenRetried"=dword:00000050
     "TcpTimedWaitDelay"=dword:00000000
     "MaxNormLookupMemory"=dword:00030d40
     "FFPControlFlags"=dword:00000001
     "FFPFastForwardingCacheSize"=dword:00030d40
     "MaxForwardBufferMemory"=dword:00019df7
     "MaxFreeTWTcbs"=dword:000007d0
     "GlobalMaxTcpWindowSize"=dword:0007d200
     "EnablePMTUDiscovery"=dword:00000001
     "ForwardBufferMemory"=dword:00019df7

 Infecção da rede  Para assegurar a sua propagação o malware tenta ligar-se a outras máquinas como descrito abaixo.

Envia uma cópia de si próprio à seguinte partilha de rede:
   • % all network shares%


Usa a seguinte informação de login para ganhar acesso à máquina remota:

– Uma lista de nomes de utilizador e palavras-chave:
   • Administrator; administrator; administrador; administrateur;
      administrat; admins; admin; staff; root; computer; owner; student;
      teacher; wwwadmin; guest; default; database; dba; oracle; db2;
      ADMINISTRATOR; Administrator; administrator; fubar; bla; GUEST; ROOT;
      root; ADMIN; PASSWORD; TEMP; SHARE; WRITE; FULL; ladeda; BOTH; READ;
      FILES; DEMO; OWNER; Owner; edu; TEST; ACCESS; USER; BACKUP; SYSTEM;
      SERVER; pepsi; LOCAL; unix; linux; changeme; Changeme; temp123; 31;
      12; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789; 654321;
      54321; 111; 11111111; 88888888; pass; passwd; database; abcd; abc123;
      oracle; sybase; 123qwe; computer; Internet; super; 123asd;
      ihavenopass; godblessyou; enable; xp; 2002; 2003; 2600; 110; 111111;
      121212; 123123; 1234qwer; 123abc; 007; alpha; patrick; pat; sex; god;
      foobar; Nilez; devil; netdevil; net-devil; 0wned; owned; irule;
      netfuck; fucked; crash; aaa; abc; test123; win; pc; asdf; secret;
      qwer; yxcv; zxcv; home; login; pwd; love; mypc; mypc123; admin123;
      pw123; mypass; mypass123; pw; Mat; Matt; Matthew; gobo; satan;
      satanik; satanic; spaceman; heaven; w00t; 0wn3d; killer; leet; l33t;
      l337; hacker; hax0r; script; scriptkiddie; kiddie; mirc; uwontguessme;
      youwontguessme; guessme; ex; xx; xxx; xxxx; xxxxx; xxxxxx; xxxxxxx;
      xxxxxxxx; xxxxxxxxx; 00; death; testing; 000; 0000; 00000; 000000;
      academia; academic; accept; account; action; adam; adrian; adrianna;
      adult; aerobics; aids; airplane; alaska; albany; albatros; albert;
      alert; alex; alexande; algebra; alias; aliases; alice; alicia; alisa;
      alison; allison; allow; alphabet; amadeus; amanda; amber; america;
      amorphou; anal; analog; anarchis; anarchy; anchor; andrea; android;
      andromac; andy; anfo; angela; angerine; angie; animal; animals; anita;
      anna; anne; annette; anon; anonymou; answer; anthrax; anthropo;
      anvils; anything; apollo13; april; aria; ariadne; arlene; army; arrow;
      arthur; artist; asian; asshole; athena; atmosphe; atom; attack;
      authoriz; aztecs; azure; babe; baby; bacchus; backdoor; badass;
      bailey; ball; banana; bananas; bandit; bank; banks; barbara; barber;
      bare; barf; baritone; bart; bartman; baseball; basic; bass; bassoon;
      batch; batman; beach; beammeup; bear; beast; beater; beauty; beaver;
      becky; beethove; begin; behead; bell; beloved; benz; beowulf;
      berkeley; berlin; berliner; beryl; beta; beth; betsie; betty; beverly;
      bible; bicamera; bigfoot; bill; binary; bios; bird; bishop; bitch;
      bitmap; bitnet; black; blonde; blondie; blood; bloodaxe; blow;
      blowjob; blue; blues; board; bomb; boner; boob; boobs; book; born;
      boyscout; bradley; brandi; brandy; bravo; break; breast; brenda;
      brian; bridget; broadway; brothel; brunette; brute; brutefor; bulls;
      bullshit; bumbling; bung; burgess; burn; butch; butt; butthead;
      californ; camille; campanil; camping; candi; candy; cantor; captain;
      capture; card; cardinal; caren; carla; carmen; carol; carole;
      carolina; caroline; carrie; carson; cascades; cash; castle; catherin;
      catholic; cathy; cave; cayuga; cecily; celt; celtic; celtics;
      cerulean; change; charity; charles; charlie; charming; charon; chat;
      chem; chemistr; chess; chester; chip; chris; christin; christy; cigar;
      cigarett; cindy; class; classes; classic; claudia; claymore; cleavage;
      clinton; cluster; clusters; coast; cocacola; cocainco; cock; code;
      codename; codeword; coffee; coin; coke; cola; cold; collins; color;
      combat; comics; commit; commrade; company; computin; comrade;
      comrades; condo; condom; connect; connie; conserva; console; continue;
      cook; cookbook; cookie; cool; cooper; copper; cops; copy; corneliu;
      correct; counters; country; couscous; cowboy; crack; crackpot; cream;
      create; creation; creature; credit; creosote; cretin; crime; criminal;
      cristina; crystal; cshrc; cunt; customer; cyber; cyberpun; cyberspa;
      cynthia; daemon; daisy; dana; dancer; daniel; danielle; danny; dapper;
      dark; darkaven; data; dave; dawn; dead; deathsta; debbie; deborah;
      debug; december; deck; default; DEFAULT; defoe; delta; deluge;
      democrat; denise; dennis; desiree; desk; desktop; desperat; develop;
      device; dial; diamond; diana; diane; dice; dick; diehard; diet;
      dieter; digital; dinosaur; dipshit; direct; director; dirty; disc;
      discipli; disclose; discover; disk; diskette; disney; display; doctor;
      dollar; dong; doom; doom2; doomii; doomsday; doonesbu; door; doors;
      dope; download; dragon; drdoom; drive; drought; duck; dude; duelist;
      duke; dulce; duncan; dungeon; dyke; eager; eagle; earth; easier; easy;
      eatme; echo; eddie; edges; edinburg; edit; edition; education;
      educatio; edwin; edwina; egghead; eiderdow; eileen; einsiein;
      einstein; elaine; elanor; electron; elephant; elizabet; ellen; email;
      emerald; emily; emmanuel; enemy; engine; engineer; england; english;
      enter; enterpri; enzyme; erenity; eric; erica; erika; erin; erotic;
      ersatz; establis; estate; eternity; euclid; evelyn; expert; explode;
      explore; explorer; explosiv; extensio; fairway; faith; falcon; false;
      family; farad; faraday; fart; fast; fear; feds; felicia; fender;
      fermat; ferrari; fidelity; field; fight; file; finite; fire; firewall;
      fishers; flakes; float; florida; flower; flowers; food; fool;
      foolproo; football; force; ford; foresigh; forever; form; format;
      fornicat; forsythe; fourier; foxtrot; france; frank; freak; fred;
      free; freedom; french; friday; friend; friends; frighten; frog;
      fryguy; fuck; fucker; fucking; fuckme; fuckyou; fudge; function;
      fungible; gabriel; games; gardner; garfield; gateway; gatherin; gatt;
      gauss; george; germ; gertrude; ghost; gibson; gigabyte; gina; ginger;
      girl; glacier; gold; golden; golf; golfer; good; gorgeous; gorges;
      gosling; gouge; govermen; grades; graham; grahm; grand; grant; great;
      green; group; gryphon; guardian; gucci; guess; guitar; gumption;
      guntis; hack; hacked; hagar; hair; hallowee; hamlet; hamster; handel;
      handily; handjob; happenin; hard; hardcore; harddriv; harmony; harold;
      harvey; hate; haven; hawaii; head; headbang; heat; heathen; heather;
      hebrides; heidi; heinlein; hell; hello; help; herb; herbert; hero;
      heroin; hewlett; hexadeci; hiawatha; hibernia; hidden; high; highland;
      hitler; hits; hole; holly; hollywoo; homepage; homer; homework; honey;
      hooker; hooters; horny; horrible; horror; horse; horus; host; hotdog;
      hotel; http; hunt; hunter; hutchins; hydrogen; hyper; hypertxt;
      icecream; illumina; image; imbrogli; immortal; imperial; include;
      india; indian; indiana; indians; ingres; ingress; ingrid; inna;
      innocuou; input; inside; integer; invent; irene; irishman; isis;
      jackie; jail; jane; janet; janice; janie; japan; jasmin; java; jazz;
      jean; jeanne; jeff; jenni; jennifer; jenny; jerry; jerusale; jessica;
      jester; jewelry; jill; jixian; joanne; jody; john; johndoe; johnny;
      joseph; joshua; journal; joyce; judith; judy; juggle; juicy; julia;
      julie; juliet; june; jupiter; kaka; karen; karie; karina; katana;
      kate; kathleen; kathrine; kathy; katina; katrina; kelly; keri; kermit;
      kernel; kerri; kerrie; kerry; kevin; kewl; keybord; keyin; keyword;
      kids; kill; killthem; kilo; kimberly; king; kirk; kirkland; kiss;
      kissmyas; kitten; klingon; knife; knight; knightma; known; krista;
      kristen; kristi; kristie; kristin; kristine; kristy; ladies; ladle;
      lakers; lambda; laminati; lana; laptop; lara; larkin; larry; laser;
      laura; lava; lazarus; lazer; leah; lebesgue; left; leftwing; legal;
      leland; leroy; lesbian; leslie; letmein; lewis; lexluthe; liberal;
      library; lick; licker; life; light; lightsab; lima; limbaugh; limited;
      linda; link; lion; lips; lisa; lisp; literatu; live; load; lock;
      lockout; lockword; logic; loginwor; logout; lois; lolopc; loose; lore;
      lori; lorin; lorraine; loser; louis; lovebug; lover; luck; lucus;
      lucy; lude; luke; lust; lynn; lynne; machine; macintos; mack; macro;
      maggot; magic; magnet; mail; maint; malcolm; malcom; mana; manager;
      mara; marci; marcy; maria; mariens; marietta; marijuan; marines; mark;
      markus; marni; marriage; mars; marty; marvin; mary; mason; master;
      math; maurice; meagan; megabyte; megadeth; megan; melissa; mellon;
      melrose; member; memory; menace; menu; mercury; merlin; metal;
      metalhea; metalica; mets; mice; michael; michel; michelan; michele;
      michelle; mickey; micro; microchi; micropro; microsof; midieval; mike;
      mine; minimum; minsky; misfit; mission; mkii; mode; modem; mogul;
      moguls; monday; monica; moom; moor; moose; more; morley; morris;
      mortal; mortalco; mortgage; mosaic; mountain; mouse; move; movie;
      movies; mozart; mpeg; msdos; muppets; mutant; nagel; name; nancy;
      napoleon; nasa; navy; nepenthe; neptune; ness; netscape; network;
      newborn; news; newsgrou; newton; newyork; next; nice; nicole;
      nicotine; night; nightmar; nintendo; nita; nnaacp; noble; nobody;
      node; noreen; notes; noth; nova; novel; november; noxious; nuclear;
      nude; nuke; nukem; null; number; nutritio; nuts; nyquist; obscurit;
      oceanogr; ocelot; office; okay; oldage; olivetti; olivia; omega; open;
      opening; openlock; opensesa; operator; orca; orient; orwell; oscar;
      osiris; outdoors; outlaw; output; outside; oxford; pacific; packard;
      packer; painless; paint; pakistan; pamela; papa; paper; papers;
      pascal; passphra; paste; patricia; patriot; patty; paula; peanuts;
      pecker; pencil; penelope; penguin; penis; penname; pentagon; pentagra;
      penthous; pentium; peoria; pepper; percolat; perfect; permit;
      persimmo; persona; pervert; pete; peter; phil; philip; phoenix; phone;
      photon; phrack; phrase; phreak; phuck; pick; pierre; pimp; pinname;
      piss; pizza; plane; playboy; plover; pluto; plymouth; poetry; police;
      polly; polynomi; ponderin; poop; poor; pork; porn; porno; porsche;
      post; poster; power; praise; precious; prelude; presto; prince;
      princeto; printer; priv; private; privs; proceed; processo; professo;
      profile; program; prompt; protect; protozoa; psycho; psychopa; public;
      puck; puke; pumpkin; puneet; punisher; punk; puppet; pussy; quebec;
      qwert; qwerty; rabbit; rachel; rachelle; rachmani; raid; rain;
      rainbow; raindrop; raleigh; random; rape; rascal; razor; reagan;
      reality; really; ream; reaper; rebal; rebecca; rebel; record; reddawn;
      redhead; referenc; regional; release; remote; renee; reno; rent;
      report; republic; resistan; reveal; rhino; rich; rick; riffraff;
      right; rightwin; ring; riot; ripple; risc; roach; robert; robin;
      robot; robotics; robyn; rochelle; rocheste; rock; rocky; rockyhor;
      rodent; rolex; romano; romeo; romulan; ronald; rose; rosebud;
      rosemary; roses; rough; rubber; ruben; ruby; rude; rules; running;
      rush; ruth; safe; salami; sale; salt; samantha; sample; sandra; sandy;
      sara; sarah; saturday; saturn; saxon; scamper; scheme; school;
      schoolsucks; scifi; scorpion; scott; scotty; scout; search; security;
      seed; sega; sensor; sentinel; sentry; serenity; serial; service;
      sesame; sexy; shannon; sharc; shark; sharks; sharon; sheffiel;
      sheldon; shell; sherri; shift; shirley; shit; shitpot; shiva; shivers;
      short; shuttle; sick; sierra; signatur; silver; simcity; simon;
      simple; simpsons; simulati; singer; single; site; skull; slave; slick;
      sliders; slow; slut; small; smart; smile; smiles; smooch; smother;
      smtp; smut; snach; snafu; snake; snatch; snoopy; soap; social;
      socrates; sodomy; soft; software; somebody; sondra; sonia; sonic;
      sonya; sossina; source; south; spaceshi; sparrows; spear; spell;
      spice; spider; spiderma; spit; spred; spring; springer; spunk;
      squires; sr71; stacey; staci; stacie; stacy; star; starship; start;
      startrek; startup; starwars; steak; steal; steel; steph; stephani;
      stereo; steve; stoneage; stoned; stones; strange; strangle; stratfor;
      streetfi; string; strip; student; stuttgar; subscrib; subway; success;
      suck; suckmydi; sucks; summer; sunday; superman; superson; supersta;
      superuse; supervis; support; supporte; surfer; surfing; susan;
      susanne; susie; suzanne; suzie; swearer; sweat; switch; sword; sybil;
      symmetry; sysadmin; sysop; tabasco; talk; tall; tamara; tami; tamie;
      tammy; tangerin; tango; tape; tara; target; tarragon; taylor; teacher;
      team; teapot; tears; tech; teen; teenage; telephon; telnet; temptati;
      tennis; tera; terminal; terminat; tess; tetris; text; thailand;
      theresa; thin; thursday; tiffany; tiger; time; tina; tits; toad;
      toggle; token; tokenrin; tomato; topograp; tortoise; toxic; toyota;
      traci; tracie; tracy; trails; transfer; trap; trapdoor; tree; trek;
      trisha; trivial; trojan; trombone; tron; true; truth; tubas; tuesday;
      turn; tuttle; ugly; umesh; uncle; undo; unhappy; unicorn; uniform;
      universa; universe; universi; unknown; unlock; upload; uranus; urchin;
      ursula; usenet; usermane; username; usmc; util; utility; uucp; vagina;
      valerie; vampire; vasant; venus; veronica; vertigo; vicky; victor;
      video; videogam; village; virgin; virginia; virus; visitor; visual;
      visualba; vodka; waco; ward; warez; warfare; wargames; warp; warren;
      wasp; watchwor; water; wave; webpage; wednesda; weed; weenie; well;
      wendi; wendy; werewolf; west; western; whatever; whatnot; whisky;
      white; whiting; whitney; wholesal; whore; will; william; williams;
      willie; wilma; windows; wine; wing; winston; wired; wisconsi; wiseass;
      within; wizard; wolf; wolverin; woman; wombat; women; wood; woodwind;
      word; wordperf; worf; work; worm; wormwood; wwii; wyoming; xena; xfer;
      xman; xmen; xmodem; xray; xyzzy; yaco; yang; yankee; yellow; yellowst;
      yolanda; yosemite; young; zebra; zeitgeis; ziggy; zimmerma; zmodem;
      zombie; zulu; 00000000; tester; testin; Ross; Rosco; RoscoP;
      RoscoPColtrane; lol; d00d; dudette; dud3; Al3x; Alexander; donaldduck;
      wileecoyote; windowz; windoze; windose; billy; M$; MS; WindowsXP;
      windows2k; windowsME; windows98; windows95; windozexp; windoze2k;
      windozeME; windoze98; windoze95; wh0r3; ho; wh0re; hax; haxing;
      h4x1ng; h4x0r1ng; h4x0ring; ada; albatross; alf; ama; amorphous; amy;
      andromache; ann; anthropogenic; asd; asm; atmosphere; beethoven;
      bicameral; bob; bsd; cad; campanile; cat; catherine; chemistry;
      christina; christine; commrades; cornelius; deb; desperate; discovery;
      dog; dos; edinburgh; eiderdown; elizabeth; enterprise; establish;
      extension; foolproof; foresight; fun; gnu; hal; happening; ibm;
      imbroglio; innocuous; jen; joy; key; kim; lamination; lee; liz;
      macintosh; mgr; mit; net; new; nutrition; oceanography; pad; pam;
      percolate; persimmon; polynomial; pondering; princeton; professor;
      pub; rachmaninoff; rje; rochester; sal; sheffield; signature;
      stephanie; stratford; stuttgart; sun; superstage; superuser;
      supported; sys; tangerine; telephone; temptation; topography; tty;
      wholesale; williamsburg; wisconsin; xyz; yellowstone; zap; zimmerman



Exploit:
Faz uso do seguinte Exploit:
– MS06-040 (Vulnerability in Server Service)
– NetDevil backdoor (port 903)


Processo de infecção:
Cria um script TFTP na máquina a atacada para permitir o download do malware da máquina atacante.


Execução remota:
–Tenta programar uma execução remota do malware, na máquina recentemente infectada. Então usa a função de NetScheduleJobAdd.

 IRC Para enviar informações do sistema e permitir controlo remoto liga-se ao servidor de IRC:

Servidor: 100.FelonyProductions.**********
Porta: 8372
Canal #$$$$#
Nickname: soldier
Palavra-chave og


– Para além disso tem a capacidade de executar as seguintes acções:
    • Liga-se ao servidor de IRC
    • Desactiva partilhas de rede
    • Desliga-se do servidor de IRC
    • Download de ficheiros
    • Activa partilhas de rede
    • Ligação ao canal IRC
    • Abandona canais IRC
    • Ataque de Negação de Serviços (ataque DoS)
    • Redireccionamento de porta
    • Inicia a rotina de propagação
    • Actualiza-se a ele próprio

 Roubos de informação – Usa um sniffer de rede para pesquisar os seguintes textos:
   • :.login; :,login; :!login; :@login; :$login; :%login; :^login;
      :*login; :-login; :+login; :/login; :\login; :=login; :?login;
      :'login; :`login; :~login; : login; :.auth; :,auth; :!auth; :@auth;
      :$auth; :%auth; :^auth; :&auth; :*auth; :-auth; :+auth; :/auth;
      :\auth; :=auth; :?auth; :'auth; :`auth; :~auth; : auth; :.id; :,id;
      :!id; :@id; :$id; :%id; :^id; :&id; :*id; :-id; :+id; :/id; :\id;
      :=id; :?id; :'id; :`id; :~id; : id; :.hashin; :!hashin; :$hashin;
      :%hashin; :.secure; :!secure; :.l; :!l; :$l; :%l; :.x; :!x; :$x; :%x;
      :.syn; :!syn; :$syn; :%syn

– É iniciada uma rotina de logging depois de digitadar o seguinte texto:
   • paypal

– Captura:
    • Teclar

– É iniciada uma rotina de logging depois de visitar um Web site:
   • paypal.com

– Captura:
    • Informação de login

 Informações diversas Mutex:
Cria o seguinte Mutex:
   • 7x4556326

 Detalhes do ficheiro Linguagem de programação:
 O programa de malware está escrito em MS Visual C++.


Empacotador de Runtime:
De forma a agravar a detecção e reduzir o tamanho do ficheiro é lançado com um empacotador de runtime.

Descrição enviada por Ana Maria Niculescu em quinta-feira, 22 de novembro de 2007
Descrição atualizada por Ana Maria Niculescu em sexta-feira, 23 de novembro de 2007

Voltar . . . .