需要修復電腦?
聘請專家
Virus:Worm/Womble.D
Date discovered:12/09/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:83.456 Bytes
MD5 checksum:a7eed18c21897e50bbe167b8f438b9af
VDF version:6.35.01.212
IVDF version:6.35.01.216 - Tuesday, September 12, 2006

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Womble.A@mm
   •  Mcafee: W32/Womble@MM
   •  Kaspersky: Email-Worm.Win32.Womble.d
   •  F-Secure: Email-Worm.Win32.Womble.d


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\%random words%.exe



It creates the following directories:
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\dvd_info
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\free
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\h_core
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\l_this
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\lunch
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\my_staff
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_mp3
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_video
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\photo
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\sh_docs
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\take_it
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\video
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\xxx



It drops copies of itself using a filename from lists
– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\dvd_info Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\free Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\h_core Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\l_this Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\lunch Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\my_staff Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_mp3 Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_video Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\photo Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\sh_docs Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\take_it Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\video Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\xxx Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: c:\system32\ Using one of the following names:
   • winupdate.exe
   • netupdate.exe
   • winlog.exe
   • winlogin.exe

– To: %network shares% Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif





It tries to download some files:

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • windows_startup=%SYSDIR%\%random words%.exe



The following registry keys are added:

– [HKLM\SOFTWARE\WinUpdate]
   • "Version"=dword:00000004

– [HKLM\SOFTWARE\WinUpload]
   • "bot1.exe"=dword:00000002
   • "bot2.exe"=dword:00000002
   • "l.exe"=dword:00000002
   • "t169.exe"=dword:00000002

– [HKCU\Software\Microsoft\WAB\WAB4]
   • "FirstRun"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   • "wmf.1.1"=dword:01c6db12
   • "wmf.1.2"=dword:e8fc9740



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"="Explorer.exe%empty spaces% %SYSDIR%\%random words%.exe"
   • "Userinit"="%SYSDIR%\userinit.exe%empty spaces% ,%SYSDIR%\%random words%.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • !!; Action Bush; FIFA; Helo; Hi; important; Incredible!!; info; Kiss;
      Laura; Laura and John; Lola; Look at this!!!; Miss Khan; Nataly; Ola;
      Olympus; Paula; pic; pics; private; private pics; Re:; Re: hi;
      Re:info; RE: pic; read this; Robert; Sex



Body:
The body of the email is the following:

   • Hi !!!
     
     %random character string%
     
     %random character string%
     --
     
     Best Regards


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

Continued by one of the following:
   • .jpg
   • .doc
   • .txt

    Sometimes continued by one of the following:
   • .pif
   • .exe
   • .zip
   • .pif.zip
   • .exe.zip

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

 Backdoor Contact server:
All of the following:
   • support.365soft.info/current/**********
   • support.365soft.info/current/**********
   • support.software602.com/current/**********
   • support.software602.com/current/**********
   • anyproxy.net/current/**********
   • anyproxy.net/current/**********
   • support.enviroweb.org/current/**********
   • support.enviroweb.org/current/**********
   • support.nikontech.com/current/**********
   • support.nikontech.com/current/**********
   • mymail.100hotmail.com/current/**********
   • mymail.100hotmail.com/current/**********
   • server1.mymail.ph/current/**********
   • server1.mymail.ph/current/**********
   • mymail.bokee.com/current/**********
   • mymail.bokee.com/current/**********
   • mail.96520.org/current/**********
   • mail.96520.org/current/**********
   • 211.184.55.7/current/**********
   • 211.184.55.7/current/**********
   • update.snowsoft.co.kr/current/**********
   • update.snowsoft.co.kr/current/**********
   • update.wwwmail.org/current/**********
   • update.wwwmail.org/current/**********
   • update.mediaroz.com/current/**********
   • update.mediaroz.com/current/**********
   • update.co.tv/current/**********
   • update.co.tv/current/**********
   • www.3btasarim.com/current/**********
   • www.3btasarim.com/current/**********
   • baishui.info/current/**********
   • baishui.info/current/**********
   • jiji.2tw.info/current/**********
   • jiji.2tw.info/current/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • *.GTLD-SERVERS.net
   • *.lan.tjhsst.edu


Checks for an internet connection by contacting the following web site:
   • www.sun.com/index.html


Mutex:
It creates the following Mutex:
   • wmf.mtx.4

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Adriana Popa 開啟 2006年9月15日星期五
說明更新者 Adriana Popa 開啟 2006年9月18日星期一

返回 . . . .
https:// 為了你的安全,此視窗已加密。