Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
???:Worm/Kidala.B
?????????:22/04/2006
???:?????
? ???????? ????????:???
?????????? ????? ?????????:??????
????????? ???????????????:???????
????????? ???????????:???????
???? ??????????:???
?????? ?????:~130.000 ????.
?????? VDF:6.34.00.216

 ????? ?????? ???????????????:
   • Email
   • ????????? ????
   • ???????????? ????


?????????? (?liases):
   •  Kaspersky: Net-Worm.Win32.Kidala.b
   •  TrendMicro: WORM_MYTOB.QC, WORM_MYTOB.PR
   •  Bitdefender: Win32.Kindala.B@mm, Backdoor.SdBot.BBU


???????????? ???????:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


???????????:
   • ?????????? ?????????? ????????????
   • ?????????? ??????????? ???????? ??????
   • ??????? ??????? ???????? ????????????
   • ????????? ???????
   • ?????????? ?????????? ??
   • ????????? ?????????????????? ???????????? ? ??????????

 ????? ??????? ??????????? ????? ? ?????? ????? ?? ??????
????: %SYSDIR% ? ????? ?? ????????? ????:
   • win24.exe
   • sysmon.exe




??????? ??????????? ? ?????.
– ????: *\*.rar ?? ????????? ??????????:
   • %??????????? ????%




??????????? ????? ????????? ?????????.



????????? ????????? ?????:

– ???? ???????????? ??? ?????????? ????????????? ? ????? ???? ??????.
   • %TEMPDIR%\tmp%????????????????? ?????%.tmp

 ?????? ??? ?????????? ??????? ???????? ????? ???????????? ??????? ???? ?? ????????? ???????? ??????????? ? ????? ???????.

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • win24 = %SYSDIR%\win24.exe
   • win32 = %SYSDIR%\sysmon.exe



????????? ???????? ?????????? ????? ???????:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • systems
   • sys32x



?????????? ????????? ????? ???????:

?????????? Windows Firewall:
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   ??????? ????????:
   • EnableFirewall = %????????? ????????????%
   ????? ????????:
   • EnableFirewall = 0

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   ??????? ????????:
   • DisableSR = %????????? ????????????%
   • DisableConfig = %????????? ????????????%
   ????? ????????:
   • DisableSR = 1
   • DisableConfig = 1

 Email ????????? ??????????? ??????????? SMTP ????? ??? ???????? ??????????? ?????. ??????????????? ?????? ?????????? ? ????????? ????????. ??????????? ?????????? ?????:


??:
????? ??????????? ??? ???????????????.
?????????????? ??????. ??????????? ??? ?? ????? ????????? ?????????? ??? ??????. ?? ????? ?????? ?? ????? ?? ????????????? ???? ???????. ?? ?????? ???????? ?????? ? ???????????? ?? ????????????? ????? ???????.


????:
– ? ???????????? ?????? ??????? ???? ?????????? ??????????? ??????.
 ?????????? ?? WAB (???????? ????? Windows) ?????? ??????????? ?????


????:
???? ?? ?????????:
   • Error
   • Status
   • Server Report
   • Mail Transaction Failed
   • Mail Delivery System
   • hello

???? ?????? ?????? ????? ?????????? ??????.
???? ?????? ????? ????????? ????????? ?????.


????:
–  ? ????????? ??????? ????? ???? ??????.
–  ? ????????? ??????? ????? ????????? ???????????? ??????.
???? ?????? ????? ???? ?? ????????? ?????:
   • test
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
   • The message contains Unicode characters and has been sent as a binary attachment.


????????????? ????:
????? ????????????? ?????? ?????????? ????????? ???????:

–  ?????????? ????? ?? ?????????:
   • body
   • message
   • test
   • data
   • file
   • text
   • doc
   • readme
   • document
   • %????????? ????????? ??????????%

    ???? ?? ????????? ?????????? ?????:
   • .bat
   • .cmd
   • .exe
   • .scr
   • .pif
   • .zip



?????? ????? ?? ????????? ????????? ???????:



 ???????? ????? ???????:
???????? ????????? ?????? ?? ??????? ? ??? ??????????? ???????:
   • .wab
   • .adb
   • .tbb
   • .dbx
   • .asp
   • .php
   • .sht
   • .htm
   • .txt
   • %HOME%\Local Settings\Temporary Internet Files


???????? ??????? ??????????? ? ??????????:
??? ????????? ??????? ??????????? ????????? ??????:
   • sandra; linda; julie; jimmy; jerry; helen; debby; claudia; brenda;
      anna; alice; brent; adam; ted; fred; jack; bill; stan; smith; steve;
      matt; dave; dan; joe; jane; bob; robert; peter; tom; ray; mary; serg;
      brian; jim; maria; leo; jose; andrew; sam; george; david; kevin; mike;
      james; michael; alex; john

????????????? ? ???????? ?????? ?? ?????????? ?????? ??? ? ????????????? ? ?????? ????????

???? ?? ????????? ???????? ????:
   • microsoft.com
   • msn.com
   • ayna.com
   • maktoob.com
   • usa.net
   • usa.com
   • yahoo.com
   • hotmail.com


???????? ????????? ?? ??????:
?? ???????????? ?????? ?? ?????? ? ????? ?? ????????? ??????????????????? ????????:
   • .edu; abuse; www; fcnz; spm; accoun; certific; listserv; ntivi;
      support; icrosoft; admin; page; the.bat; gold-certs; feste; submit;
      not; help; service; privacy; somebody; soft; contact; site; rating;
      bugs; you; your; someone; anyone; nothing; nobody; noone; webmaster;
      postmaster; samples; info; root; mozilla; utgers.ed; tanford.e; pgp;
      acketst; secur; isc.o; isi.e; ripe.; arin.; sendmail; rfc-ed; ietf;
      iana; usenet; fido; linux; kernel; google; ibm.com; fsf.; gnu; mit.e;
      bsd; math; unix; berkeley; foo.; .mil; gov.; .gov; ruslis; nodomai;
      mydomai; example; inpris; borlan; sopho; panda; hotmail; msn.;
      icrosof; syma; avp


????????????? ?????????????????? ????????:
??? ????????? IP ?????? ????????? ??????? ????? ???????? ?????? ??????????? ????????? ??????:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mx1.
   • smtp.
   • mail.
   • mx.

 P2P ??????????????? ??? ????????????? ?????? ?????? ? ???????????? ???? ????????: ???????????? ????? ????????? ?????:
   • %PROGRAM FILES%\eDonkey2000\incoming
   • %PROGRAM FILES%\LimeWire\Shared

   ??? ??????????? ??????????? ????? ??? ???????? ?????????? ????????? ? ???????:
   • HKCU\Software\KAZAA\LocalContent\Dir0
   • HKCU\Software\Kazaa\Transfer\DlDir0
   • HKLM\SOFTWARE\iMesh\Client\DownloadsLocation
   • HKLM\SOFTWARE\Morpheus\Install_Dir
   • HKCU\SOFTWARE\WarezP2P\wp

   ??? ???????? ?????????? ?????? ????????? ????????? ?????:
   • nice_big_asshole_fuck_Jennifer_Lopez.bat;
      Madonna_the_most_sexiest_girl_in_the_world.bat;
      Britney_Spears_sucks_someones_dick.bat;
      Mariah_Carey_showering_in_bathroom.bat; Alcohol_120%%_patch.bat;
      Outlook_hotmail+_fix.bat; LimeWire_speed++.bat;
      DarkAngel_Lady_get_fucked_so_hardly.bat;
      Angilina_Jolie_Sucks_a_Dick.bat; JenniferLopez_Film_Sexy_Enough.bat;
      BritneySpears_SoSexy.bat; DAP7.4.x.x_crack.bat;
      NortonAV2006_Crack.bat; YahooMessenger_Loader.bat;
      MSN7.0UniversalPatch.bat; MSN7.0Loader.bat; KAV2006_Crack.bat;
      ZoneAlarmPro6.xx_Crack.bat; TaskCatcher.bat; Opera8.bat;
      notepad++.bat; lcc-win32_update.bat; RealPlayerv10.xx_crack.bat;
      nuke2006.bat; office_crack.bat; rootkitXP.bat; dcom_patch.bat;
      strip-girl-3.0.bat; activation_crack.bat; icq2006-final.bat;
      winamp6.bat; nice_big_asshole_fuck_Jennifer_Lopez.com;
      Madonna_the_most_sexiest_girl_in_the_world.com;
      Britney_Spears_sucks_someones_dick.com;
      Mariah_Carey_showering_in_bathroom.com; Alcohol_120%%_patch.com;
      Outlook_hotmail+_fix.com; LimeWire_speed++.com;
      DarkAngel_Lady_get_fucked_so_hardly.com;
      Angilina_Jolie_Sucks_a_Dick.com; JenniferLopez_Film_Sexy_Enough.com;
      BritneySpears_SoSexy.com; DAP7.4.x.x_crack.com;
      NortonAV2006_Crack.com; YahooMessenger_Loader.com;
      MSN7.0UniversalPatch.com; MSN7.0Loader.com; KAV2006_Crack.com;
      ZoneAlarmPro6.xx_Crack.com; TaskCatcher.com; Opera8.com;
      notepad++.com; lcc-win32_update.com; RealPlayerv10.xx_crack.com;
      nuke2006.com; office_crack.com; rootkitXP.com; dcom_patch.com;
      strip-girl-3.0.com; activation_crack.com; icq2006-final.com;
      winamp6.com; nice_big_asshole_fuck_Jennifer_Lopez.exe;
      Madonna_the_most_sexiest_girl_in_the_world.exe;
      Britney_Spears_sucks_someones_dick.exe;
      Mariah_Carey_showering_in_bathroom.exe; Alcohol_120%%_patch.exe;
      Outlook_hotmail+_fix.exe; LimeWire_speed++.exe;
      DarkAngel_Lady_get_fucked_so_hardly.exe;
      Angilina_Jolie_Sucks_a_Dick.exe; JenniferLopez_Film_Sexy_Enough.exe;
      BritneySpears_SoSexy.exe; DAP7.4.x.x_crack.exe;
      NortonAV2006_Crack.exe; YahooMessenger_Loader.exe;
      MSN7.0UniversalPatch.exe; MSN7.0Loader.exe; KAV2006_Crack.exe;
      ZoneAlarmPro6.xx_Crack.exe; TaskCatcher.exe; Opera8.exe;
      notepad++.exe; lcc-win32_update.exe; RealPlayerv10.xx_crack.exe;
      nuke2006.exe; office_crack.exe; rootkitXP.exe; dcom_patch.exe;
      strip-girl-3.0.exe; activation_crack.exe; icq2006-final.exe;
      winamp6.exe; nice_big_asshole_fuck_Jennifer_Lopez.pif;
      Madonna_the_most_sexiest_girl_in_the_world.pif;
      Britney_Spears_sucks_someones_dick.pif;
      Mariah_Carey_showering_in_bathroom.pif; Alcohol_120%%_patch.pif;
      Outlook_hotmail+_fix.pif; LimeWire_speed++.pif;
      DarkAngel_Lady_get_fucked_so_hardly.pif;
      Angilina_Jolie_Sucks_a_Dick.pif; JenniferLopez_Film_Sexy_Enough.pif;
      BritneySpears_SoSexy.pif; DAP7.4.x.x_crack.pif;
      NortonAV2006_Crack.pif; YahooMessenger_Loader.pif;
      MSN7.0UniversalPatch.pif; MSN7.0Loader.pif; KAV2006_Crack.pif;
      ZoneAlarmPro6.xx_Crack.pif; TaskCatcher.pif; Opera8.pif;
      notepad++.pif; lcc-win32_update.pif; RealPlayerv10.xx_crack.pif;
      nuke2006.pif; office_crack.pif; rootkitXP.pif; dcom_patch.pif;
      strip-girl-3.0.pif; activation_crack.pif; icq2006-final.pif;
      winamp6.pif; nice_big_asshole_fuck_Jennifer_Lopez.scr;
      Madonna_the_most_sexiest_girl_in_the_world.scr;
      Britney_Spears_sucks_someones_dick.scr;
      Mariah_Carey_showering_in_bathroom.scr; Alcohol_120%%_patch.scr;
      Outlook_hotmail+_fix.scr; LimeWire_speed++.scr;
      DarkAngel_Lady_get_fucked_so_hardly.scr;
      Angilina_Jolie_Sucks_a_Dick.scr; JenniferLopez_Film_Sexy_Enough.scr;
      BritneySpears_SoSexy.scr; DAP7.4.x.x_crack.scr;
      NortonAV2006_Crack.scr; YahooMessenger_Loader.scr;
      MSN7.0UniversalPatch.scr; MSN7.0Loader.scr; KAV2006_Crack.scr;
      ZoneAlarmPro6.xx_Crack.scr; TaskCatcher.scr; Opera8.scr;
      notepad++.scr; lcc-win32_update.scr; RealPlayerv10.xx_crack.scr;
      nuke2006.scr; office_crack.scr; rootkitXP.scr; dcom_patch.scr;
      strip-girl-3.0.scr; activation_crack.scr; icq2006-final.scr;
      winamp6.scr

   ????? ???????? ??????? ???????????? ??????? ?????????

 ??????? ????????????? ??????????? ????????? ???????? ?????????? ?????????? ? ?????? ??????????? ??? ????? ??????????? ???????????????. ??????????? ?????????? ?????.

????? ??????? ?????????? ? ????????? ??????? ?????? ?????? ???????:
   • ipc$


??? ??????????? ??????? ? ?????????? ?????????? ???????????? ????????? ??????????????? ??????????:

?????? ???? ????????????? ? ???????:
   • User; Db2; Oracle; Dba; Database; Default; Guest; Wwwadmin; Teacher;
      Student; Computer; Root; Staff; Owner; Admin; Admins; Administrat;
      Administrateur; Administrador; Administrator; dba; wwwadmin; owner;
      computer; ownerstaff; staff; teacher; student; intranet; lan; main;
      winpass; blank; office; control; nokia; siemens; compaq; dell; cisco;
      ibm; oracle; orainstall; sqlpassoainstall; sql; db1234; db2; db1;
      databasepassword; data; databasepass; dbpassword; dbpass; access;
      database; domainpassword; domainpass; domain; hello; hell; god; sex;
      slut; bitch; fuck; exchange; backup; technical; loginpass; login;
      mary; katie; kate; george; eric; chris; ian; neil; lee; brian; susan;
      sue; sam; luke; peter; john; mike; bill; fred; joe; jen; bob; qwe;
      zxc; asd; qaz; win2000; winnt; winxp; win2k; win98; windows;
      oeminstall; oemuser; oem; user; homeuser; home; accounting; accounts;
      internet; www; web; outlook; mail; qwerty; null; root; server; system;
      default; changeme; linux; unix; demo; none; guest; test; 2004; 2003;
      2002; 2001; 2000; 12345678910; 1234567890; 123456789; 12345678;
      1234567; 123456; 12345; 1234; 123; 10007; 000; pwd; pass; pass1234;
      passwd; password; password1; adm; admin; admins; administrat;
      administrateur; administrador; administrator



????????:
???????????? ????????? ????? ? ????????????:
 MS01-059 (Unchecked Buffer in Universal Plug and Play)
 MS02-018 (???? ??? IIS)
– MS02-061 (????????? ?????????? ? SQL Server Web)
– MS03-007 (????????????? ????? ? ?????????? Windows)
– MS03-026 (???????????? ?????? RPC Interface)
– MS03-049 (???????????? ?????? Workstation Service)
– MS04-007 (?????????? ASN.1)
– MS04-011 (?????????? LSASS)
– MS05-039 (?????????? ? Plug and Play)
 ??????? ?????????? ????????????????? Bagle (???? 2745)
 ??????? ?????????? ????????????????? Kuang (???? 17300)
 ??????? ?????????? ????????????????? Mydoom (???? 3127)
 ??????? ?????????? ????????????????? NetDevil (???? 903)
 ??????? ?????????? ????????????????? Optix (???? 3140)
 ??????? ?????????? ????????????????? SubSeven (???? 27347)
 ????????? ?????????? ????????????????? DameWare. (???? 6129)


??????? ?????????????:
?? ????????? ?????????? ????????? TFTP ??? FTP ??????. ?? ????????? ???????????? ??????? ????????? ?? ????????? ?????????.

 IRC ??? ???????? ????????? ?????????? ? ????????? ?????????? ?????????? ?????????? ??????????? ? IRC ???????:

??????: soliderx.no-ip.**********
?????: #Virgin#


 ??????????? ????????? ???????? ???????????? ????????? ????????? ????????:
     ??????????? DDoS UDP ?????
    • ????????? ????
    • ????????? ????
    • ????? ? ???-??????? IRC
    • ???????? ???-??????? IRC
     ?????? ????????? ???????????????
     ??????????? ??????????????

 ?????????? ???????? ?????? ??????????? ?????????:
   • AVPCC.EXE; AVKSERV.EXE; ECENGINE.EXE; FP-WIN.EXE; VETTRAY.EXE;
      ACKWIN32.EXE; AVNT.EXE; ESAFE.EXE; FPROT.EXE; F-PROT95.EXE;
      IOMON98.EXE; AVWIN95.EXE; AVE32.EXE; ANTI-TROJAN.EXE; _AVPCC.EXE;
      APVXDWIN.EXE; CLAW95CF.EXE; _FINDVIRU.EXE; FINDVIRU.EXE; NAVNT.EXE;
      VET95.EXE; SCAN32.EXE; RAV7.EXE; NAVAPW32.EXE; VSMAIN.EXE;
      GUARDDOG.EXE; RULAUNCH.EXE; ALOGSERV.EXE; OGRC.EXE; NAVAPSVC.EXE;
      NSPLUGIN.EXE; NOD32.EXE; _AVPM.EXE; AMON.EXE; NAVWNT.EXE; NAVW32.EXE;
      SPIDER.EXE; AVPM.EXE; ATGUARD.EXE; KAVPF.EXE; BLACKICE.EXE;
      LOOKOUT.EXE; CMGRDIAN.EXE; IAMAPP.EXE; OUTPOST.EXE;
      OUTPOSTINSTALL.EXE; ZONEALARM.EXE; ZONALM2601.EXE; ZATUTOR.EXE;
      ZAPSETUP3001.EXE; ZAPRO.EXE; OUTPOSTPROINSTALL.EXE; ZONALARM.EXE


 Backdoor ??????????? ????????? ?????:

win24.exe/sysmon.exe ?? TCP ????? 2001 ??? ??????????? HTTP ???????.
win24.exe/sysmon.exe ?? TCP ????? 16248 ??? ??????????? FTP ???????.

 ?????? ???????:


????????? ???? ?? ????????? ?????????:
   • MicroSystemFlooderIRCd7
   • MicroSystemFlooder7

 ?????? ????? ???? ????????????????:
????????? ???? ???????? ?? MS Visual C++.


????????:
??? ?????????? ??????????? ? ?????????? ??????? ????? ?? ??? ????????? ????????? ??????????:

Описание добавил Andrei Gherman в(о) вторник, 25 апреля 2006 г.
Описание обновил Andrei Gherman в(о) вторник, 25 апреля 2006 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.