worm_wurmark.s
tipo: gusano
tama?o: 206,336 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.8 al 01/10/2005.
w32/wurmark.s , es un gusano de envi? masivo de e-mail, utiliza su propio motor smtp para enviarse a si mismo a todas las direcciones de e-mail que encuentre en el computador atacado y en archivos con extensiones, cfg, cgi, dbx, dhtm, doc, eml, htm, jsp, mbx, mdx, mht, mmf, msg, nch, ods, oft, php, ppt, rtf, sht, shtm, stm, tbb, txt, uin, vbs, wab, wsh, xls, xml
el gusano evita enviar mensajes a direcciones de e-mail que en su nombre contengan los siguientes textos:
@antivir @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symatec @viruslist abuse@ noreply@ ntivir reports@ spam@ caracter?sticas del mensaje de e-mail:
asunto: [variable, uno de los siguientes]
administration approved bad request corrected delivery protection delivery server encripted mail error extended mail extended mail system failure hello important improved mail authentification mail server notify patched protected mail delivery protected mail request protected mail system read it immediately secure delivery secure smtp message smtp server status thank you for delivery thanks! cuerpo: [variable, cualquiera de los siguientes]
authentication required. bad gateway: the message has been attached. delivered message is attached. encrypted message is available. esmtp [secure mail system #334]: secure message is attached. first part of the secure mail is available. follow the instructions t read the message. for further details see the attachment. for more details see the attachment. forwarded message is available. i have attached your document. i have received your document. the corrected document is attached. new message is available. now a new message is available. partial message is available. waiting for a response. please read the attachment. please authenticate the secure message. please confirm my request. please confirm the document. please read the attached file! please read the attached file! please read the attachment t get the message. please read the document. please read the important document. please see the attached file for details. protected mail system test. protected message is attached. protected message is available. requested file. secure mail system beta test. see the file. smtp: please confirm the attached message. waiting for authentification. you got a new message. you have received an extended message. please read the instructions. your details. your document is attached t this mail. your document is attached. your document. your file is attached. your requested mail has been attached. +++ attachment: no virus found +++ bitdefender antivirus - www.bitdefender.com +++ kaspersky antivirus - www.kaspersky.com +++ mc-afee antivirus - www.mcafee.com +++ messagelabs antivirus - www.messagelabs.com +++ panda antivirus - www.pandasoftware.com ++++ f-secure antivirus - www.f-secure.com ++++ norman antivirus - www.norman.com ++++ norton antivirus - www.symantec.de archivo adjunto: [alguno de los siguientes]
data.zip details.zip document.zip message.zip msg.zip readme.zip nota.- el archivo .zip puede contener uno de los siguientes archivos:
data.txt[espacios en blanco].exe delails.doc[espacios en blanco].exe document.txt[espacios en blanco].exe readme.txt[espacios en blanco].exe --------------------------------
cuando el gusano se ejecuta se copia a s? mismo con todos sus componentes dentro de:
system \lsess.exe [archivo del gusano] system \zlib.dll [utilizado para comprimir y descomprimir archivos] system \ansmtp.dll [motor smtp que es utilizado para difundirse.] nota:
- system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32 ).
adem?s crea las siguientes entradas en el registro para poder ejecutarse en cada inicio del sistema:
hkey_local_machine\software\microsoft\windows\currentversion\run
lsess= system \lsess.exe
hkey_current_user\software\microsoft\windows\currentversion\run
lsess= system \lsess.exe
hkey_current_user\software\microsoft\windows\currentversion\runservicesonce
lsess= system \lsess.exe
tambi?n modifica la siguiente entrada para poder ejecutarse cada vez que se intente abrir un archivo de texto:
hkey_classes_root\txtfile\shell\open\command
@= system \lsess.exe 1
tambi?n se difunde a trav?s de la red de intercambio de archivos p2p [kazaa, emule, limewire, etc] copi?ndose a si mismo dentro de carpetas con los siguientes nombres:
compart download incoming share shared el gusano copia los siguientes archivos dentro de las carpetas antes mencionadas:
credit card.zip edonkey 1.1.zip emoticons msn.zip hotmail passwords howto.me.zip norton antivirus.zip overnet full.zip windows commander.zip windows xp activate.zip winzip cracked.zip finalmente el gusano termina los siguientes procesos relacionados a programas de seguridad y antivirus.
_avp32.exe _avpcc.exe _avpm.exe ackwin32.exe advxdwin alertsvc.exe alogserv amon.exe amon9x anti-trojan.exe antivir apvxdwin.exe atcon atupdater atwatch autodown.exe autotrace avconsol.exe ave32.exe avgcc32 avgctrl.exe avgserv avgserv9 avkpop avkserv avkserv.exe avkservice avkwctl9 avnt.exe avp.exe avp32.exe avpcc.exe avpdos32.exe avpm.exe avpmon.exe avpnt.exe avptc32.exe avpupd.exe avrep32.exe avsched32.exe avsynmgr.exe avwin95.exe avwinnt avwupd32.exe avxmonitor9x avxmonitornt avxquar blackd.exe blackice.exe bullguard ccapp.exe cfgwiz cfiadmin.exe cfiaudit.exe cfind.exe cfinet.exe cfinet32.exe claw95.exe claw95cf.exe claw95ct.exe cleaner.exe cleaner3.exe clrav.com cmgrdian connectionmonitor cpdclnt defalert defscangui defwatch doors dv95.exe dv95_o.exe dvp95.exe dvp95_0.exe ecengine.exe efinet32.exe efpeadm esafe.exe espwatch.exe etrustcipe expert f-agnt95.exe f-prot.exe f-prot95.exe f-stopw.exe fameh32 fch32 fih32 filemon.exe findviru.exe fnrb32 fp-win.exe fprot.exe fprot95.exe frw.exe fsav32 fsgk32 fsm32 fsma32 fsmb32 gbmenu gbpoll generics guard iamapp.exe iamserv.exe iamstats ibmasn.exe ibmavsp.exe icload95.exe icloadnt.exe icmon.exe icmoon.exe icssuppnt.exe icsupp95.exe icsuppnt.exe iface.exe iomon98.exe isrv95 jed.exe jedi.exe kpf.exe kpfw32.exe ldpromenu ldscan lockdown2000.exe lockdownadvanced.exe lookout.exe luall.exe lucomserver.exe luspt mcafee mcagent mcmnhdlr mctool mcupdate mcvsrte mcvsshld mghtml minilog monitor.exe moolive.exe mpfservice mpftray.exe msconfig.exe mwatch n32scan.exe n32scanw.exe navapsvc.exe navapw32.exe navengnavex15 navlu32.exe navnt.exe navrunr.exe navsched.exe navw.exe navw32.exe navwnt.exe ndd32 neowatchlog netutils nisserv.exe nisum.exe nmain.exe normist.exe notstart.exe npscheck npssvc nsched32.exe nspclean.exe ntrtscan ntvdm ntxconfig nupgrade.exe nvc95.exe nvsvc32 nwservice nwtool16 offguard.exe outpost.exe padmin padmin.exe pav.exe pavcl.exe pavmail.exe pavproxy pavsched.exe pavw.exe pcciomon.exe pccmain.exe pccwin97 pccwin98.exe pcfwallicon.exe pcntmon pcscan per.exe perd.exe persfw.exe pertsk.exe perupd.exe pervac.exe pervacd.exe pop3trap poproxy portmonitor pqremove.com processmonitor procexp programauditor pview95 pview95.exe rapapp.exe rav7.exe rav7win.exe realmon regedit.exe regedt32.exe regmon.exe rescue.exe rtvscn95 rulaunch safeweb.exe sbserv scan32.exe scan95.exe scanpm.exe scrscan.exe serv95.exe sfc.exe smc.exe sphinx.exe spyxx ss3edit sweep95.exe sweepnet swnetsup symproxysvc symtray taskmgr taumon tbscan.exe tca.exe tds-3 tds2-98.exe tds2-nt.exe th.exe th32.exe th32upd.exe thav.exe thd.exe thd32.exe thmail.exe vbcmserv vbcons vcontrol.exe vet32.exe vet95.exe vet98.exe vettray.exe vpc32 vscan40.exe vsecomr.exe vshwin32.exe vsmain vsmon vsscan40.exe vsstat.exe watchdog webscan.exe webscanx.exe webtrap wfindv32.exe wgfe95 wimmun32 wradmin wrctrl zap.exe zapd.exe zapprg.exe zapro.exe zaps.exe zcap.exe zonealarm.exe
1992/2005
|
