Alias:I-Worm.Win32.Naco.D
Type:Worm 
Size:45,568 bytes 
Origin:unknown 
Date:06-12-2003 
Damage:Email and Internet spreading 
VDF Version:6.19.00.08 
Danger:Low 
Distribution:Medium 

SymptomsActive applications of firewall and antivirus software are terminated.

Distribution- Email sending
- Local networks
- P2P networks

Technical DetailsWorm/Naco.D copies itself in these directories:
- C:\%Windows%\Start Menu\Programs\StartUp\<%Name%>.exe
- C:\%Windows%\%System%\csrss32.exe
and makes the C:\bgii.exe file.

It infects certain .exe files in the Windows directory.

It makes the following register entries:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ALM"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Services"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\GuestSystem]
<new registry key>

Worm/Sobig.D spreads itself by Outlook, and the emails have the following
characteristics:

Subject:
British Air Way Will Backcrupt
Body:
i babe, Still missing me! I have send to you a special
gift I made it my own. Just for you. Check it out the
attachment.

Your Love,
Rekcahlem
Attachment:
climbing.jpg.exe

or

Subject:
You r a chichy boy, you r a chicky girl
Body:
reat to see you again babe! This is file you want las
week. Please don't distribute it to other.

Regard,
V.C.

Attachment:
csrss32.exe

or

Subject:
Small And Destrucive!
Body:
Attention!
Please do not eat pork! The SARS virus may come
from the pig. So becareful.
For more information check the attachment.

Regard, WTO
Attachment:
climbing.jpg.exe

The following active processes are terminated:
Anti-Trojan.exe, Ackwin32.exe, _Avpm.exe, _Avpcc.exe, _Avp32.exe, Ave32.exe,
Avconsol.exe, Autodown.exe, Apvxdwin.exe, Avpcc.exe, Avp32.exe, Avp.exe,vnt.exe, Avkserv.exe, Avgctrl.exe, Avsched32.exe, Avpupd.exe, Avptc32.exe, Avpm.exe, Avpdos32.exe, Cfiadmin.exe, Blackice.exe, Blackd.exe, Avwupd32.exe, Avwin95.exe, Claw95cf.exe, Claw95.exe, Cfinet32.exe, Cfinet.exe, Cfiaudit.exe, Ecengine.exe, Dvp95_0.exe, Dvp95.exe, Cleaner3.exe, Cleaner.exe, f-Prot95.exe, f-Prot.exe, f-Agnt95.exe, Espwatch.exe, Esafe.exe, Frw.exe, Fprot.exe, Fp-Win.exe, Findviru.exe, f-Stopw.exe, Icload95.exe Ibmavsp.exe, Ibmasn.exe, Iamserv.exe, Iamapp.exe, Iface.exe, Icsuppnt.exe, Icsupp95.exe, Icmon.exe, Icloadnt.exe, Luall.exe, Lookout.exe, Lockdown2000.exe, Jedi.exe, Iomon98.exe, Navlu32.exe, Navapw32.exe, N32scanw.exe, Mpftray.exe, Moolive.exe, Nmain.exe, Nisum.exe, Navwnt.exe, Navw32.exe, Navnt.exe, Padmin.exe, Outpost.exe, Nvc95.exe, Nupgrade.exe, Normist.exe, Pcfwallicon.exe, Pccwin98.exe, Pavw.exe, Pavsched.exe, Pavcl.exe, Regedit.exe, Rescue.exe, Rav7win.exe, Rav7.exe, Persfw.exe, Scrscan.exe, Scanpm.exe, Scan95.exe, Scan32.exe, Safeweb.exe, Tbscan.exe, Sweep95.exe, Sphinx.exe, Smc.exe, Serv95.exe, Vettray.exe, Vet95.exe, Tds2-Nt.exe, Tds2-98.exe, Tca.exe, Vsstat.exe, Vshwin32.exe, Vsecomr.exe, Vscan40.exe, Webscanx.exe, Wfindv32.exe, Zonealarm.exe

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* C:\%Windows%\Start Menu\Programs\StartUp\<%Name%>.exe
* C:\%Windows%\%System32%\csrss32.exe
* C:\bgii.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20"="C:\\WINDOWS\\SYSTEM32\\CSRSS32.EXE"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ALM"="C:\\WINDOWS\\SYSTEM32\\CSRSS32.EXE"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Services"="C:\\WINDOWS\\SYSTEM32\\CSRSS32.EXE"

* [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\GuestSystem]
<New Registry Key>

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* C:\%Windows%\Start Menu\Programs\StartUp\<%Name%>.exe
* C:\%Windows%\%System%\csrss32.exe
* C:\bgii.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Under20"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ALM"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Services"="C:\\WINDOWS\\SYSTEM\\CSRSS32.EXE"

* [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\GuestSystem]
<New Registry Key>

Restart your computer.
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. Todos os direitos reservados.

Minha Conta

https:// Esta janela é criptografada para sua segurança.