w32.spybot.rby
tipo: gusano
tama?o: 65,536 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.8 al 28/06/2005 descripción:
w32/spybot.rby , es un gusano residente en memoria, se difunde a trav?s de los recursos compartidos de la red, permite el acceso remoto y no permitido de un intruso a la computadora infectada a trav?s del irc.
este gusano tambi?n se aprovecha de las siguientes vulnerabilidades:
vulnerabilidad lsass buffer overrun , descrito en el bolet?n de seguridad ms04-011 de microsoft: vulnerabilidad dcom rpc , descrito en el bolet?n de seguridad ms03-026 de microsoft. vulnerabilidad buffer overrun in the workstation service could allow code execution , descrito en el bolet?n de seguridad ms03-049 de microsoft. cuando el gusano se ejecuta se copia as? mismo en:
system \wmiapi.exe nota:
- system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32 ).
además modifica algunas entradas en el registro para poder ejecutarse en el siguiente reinicio del sistema:
hkey_local_machine\software\microsoft\windows\currentversion\run
wmi application interface= system \wmiapi.exe
hkey_local_machine\software\microsoft\windows\currentversion\runservices
wmi application interface= system \wmiapi.exe
hkey_current_user\software\microsoft\ole
wmi application interface= system \wmiapi.exe
tambi?n modifica las siguientes entradas en el registro:
hkey_current_user\software\microsoft\windows\currentversion\internet settings
maxconnectionsper1_0server=50
hkey_current_user\software\microsoft\windows\currentversion\internet settings
enableremoteconnect=n
hkey_local_machine\system\controlset001\services\wscsvc
start=4
hkey_local_machine\system\currentcontrolset\services\wuauserv
start=4
hkey_local_machine\system\currentcontrolset\control\securityproviders\schannel\protocols\pct1.0\server
enabled=0
hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
autoshareserver=0
hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
autosharewks=0
hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
transportbindname =
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
allowunqualifiedquery=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
allowuserrawaccess=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
bcastnamequerycount=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
bcastquerytimeout=2ee
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
buffermultiplier=200
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
cachetimeout=ea60
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
deadgwdetectdefault=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
defaultreceivewindow=4000
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
defaultregistrationttl=14
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
defaultsendwindow=4000
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
defaultttl=30
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
disableaddresssharing=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
disablerawsecurity=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
disablereplaceaddressesinconflicts=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
disablereverseaddressregistrations=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
disjointnamespace=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
dnsquerytimeouts=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
domain=
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
dontadddefaultgatewaydefault=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
dynamicbackloggrowthdelta=32
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enabledeadgwdetect=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enablefastroutelookup=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enableicmpredirect=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enablepmtubhdetect=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enablepmtudiscovery=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
enablesecurityfilters=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
fastcopyreceivethreshold=400
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
fastsenddatagramthreshold=400
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
ffpcontrolflags=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
ffpfastforwardingcachesize=30d40
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
forwardbroadcasts=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
forwardbuffermemory=19df7
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
globalmaxtcpwindowsize=7d200
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
ignorepushbitonreceives=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
ipenablerouter=0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
irpstacksize=4
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
keepalivetime=23280
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
largebufferlistdepth=a
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
largebuffersize=1000
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxactivetransmitfilecount=2
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxfasttransmit=40
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxforwardbuffermemory=19df7
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxfreetcbs=7d0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxfreetwtcbs=7d0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxhashtablesize=800
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
maxnormlookupmemory=30d40
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
nameserver=
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
nonamereleaseondemand=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
overheadchargegranularity=1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
performrouterdiscovery = 0
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
prioritizerecorddata = 1
hkey_local_machine\system\currentcontrolset\services\tcpip\parameters
priorityboost = 2
hkey_local_machine\system\currentcontrolset\control\lsa
restrictanonymous=1
hkey_local_machine\software\microsoft\ole
enabledcom = n
hkey_local_machine\system\currentcontrolset\services\sharedaccess
start = 4
busca computadores en la red local que est?n protegidos por contrase?as f?ciles e intentar? conectarse utilizando una relaci?n de contrase?as, si logra conectarse el gusano intentar? copiarse a si mismo en dicho computador remoto.
finalmente intentar? terminar procesos pertenecientes a programas de seguridad y antivirus.
1992/2005
|
