w32.xabot. worm
tipo: gusano
tama?o: 220,634 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.5 al 10/11/2003. descripción:
w32/xabot , es un gusano que se difunde a trav?s de la red de intercambio de archivos kazaa, morpheus, imesh, edonkey2000, limwire y el irc. el gusano tiene caracter?sticas de un troyano.
cuando el gusano se ejecuta se copia a si mismo en:
system \wininit32.exe
nota:
system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32)
luego se copia a si mismo dentro de las siguientes carpetas compartidas:
programfiles \kazaa\my shared folder\
programfiles \edonkey2000\incoming\
programfiles \limewire\shared\
programfiles \morpheus\my shared folder\
programfiles \imesh\
my music
los nombres de archivo que utiliza son:
doom 3 no cd crack.exe half-life 2 keygen.exe half-life 2 no cd crack.exe jedi academy no cd crack.exe max payne 2 no cd crack.exe medal of honor - pacific assault no cd crack.exe adem?s modifica varias entradas en el registro para poder ejecutarse en cada reinicio del sistema.
hkey_local_machine\software\microsoft\windows\currentversion\run
sysinit= system \wininit32.exe
hkey_local_machine\software\microsoft\windows\currentversion\runonce
sysinit= system \wininit32.exe
hkey_local_machine\software\microsoft\windows\currentversion\runservices
sysinit= system \wininit32.exe
hkey_current_user\software\microsoft\windows\currentversion\run
sysinit= system \wininit32.exe
hkey_current_user\software\microsoft\windows\currentversion\runonce
sysinit= system \wininit32.exe
tambi?n adiciona algunos valores a las siguientes entradas en el registro
hkey_local_machine\software\microsoft\pchealth\errorreporing
allornone=1
includekernelfaults=1
includemicrosoftapps=1
includewindowsapps=1
showui=0
doreport=0
hkey_local_machine\software\microsoft\windows\active setup\installed components\sysinit
stubpath=wininit32.exe
hkey_local_machine\software\microsoft\windows\connect
lastmonth=[mes actual del sistema]
tambi?n modifica algunos valores para poder deshabilitar el registro y el explorer
hkey_current_user\software\microsoft\windows\currentversion\policies\system
disableregistrytools=1
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer
disallowrun=1
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
1=lockdown.exe
2=vsmain.exe
3=msconfig.exe
4=zonealarm.exe
5=zapro.exe
6=blackd.exe
7=blackice.exe
8=processmonitor.exe
9=pmon.exe
10=smc.exe
11=generics.exe
12=netstat.exe
13=ethereal.exe
14=sniffem.exe
15=monitor.exe
16=lockdown2000.exe
17=webtrap.exe
18=programauditor.exe
19=sniffem.exe
20=jammer.exe
21=ldnetmon.exe
22=safeweb.exe
23=realmon.exe
24=guw32.exe
25=regmon.exe
26=netmon.exe
27=portmon.exe
28=filemon.exe
29=scan32.exe
luego adiciona las siguientes entradas en el registro
hkey_local_machine\software\microsoft\windows\currentversion\run-
hkey_local_machine\software\microsoft\windows\currentversion\runservices-
hkey_current_user\software\microsoft\windows\currentversion\run-
buscar? en las siguientes entradas del registro:
hkey_local_machine\software\microsoft\windows\currentversion\runonce
hkey_local_machine\software\microsoft\windows\currentversion\run
hkey_local_machine\software\microsoft\windows\currentversion\runservices
hkey_current_user\software\microsoft\windows\currentversion\runonce
hkey_current_user\software\microsoft\windows\currentversion\run
los siguientes valores e intentar? eliminarlos:
configuration loader
update
winupdate
task manager
windows api structure
microsoft diagnostic
3dfx acc
absr
adp
advapi
aim reminder
alevir
alogserv
amon
anvir
apvxd
apvxdwin
ausvc
avast32
avconsoleexe
avgserv9.exe
avmaisrv
avpcc
avx communicator
avxlni
awhost32
backwork
bargains
bitdefenderlive
blackice utility
bmail installation
bnexe
bocleanautostart
configuration manager
dlder
vet alert
explorertask
bonzi buddy
boot
bymer.scanner
cagou
cc2kui
choke
clickthebutton
cmesys
cmeupd
msnb
configuration wizard
coresrv
cydoor
debug
distributed.net client
langsupportex
downloadware
dvp95
eac_cnry
eixfi
element
explorer32
f-stopw
gator
vet start uphooksys
i386
kernell32
kernel32
loadblackd
loaddbackup
loadfonts
loadorderverification
ltm2
mcafee firewall
mcafeevirusscanservice
mnsvc
mpfexe
mprhtml
msadmin
winupdatermsdos423
mskernel32
msn
msrc
msregit
ms spool32
mswincfg
murphy shield
default
mxhlp32
myapp
nav agent
navapw32
nav configuration wizard
nav defalert
netapi
nod32cc
norton auto-protect
ogrc
pav.exe
pcstart
persfw
ppmemcheck
procmon
rapapp
taskman
rvds
rdvs
registry
run_cd
rundllsystem32
runprog
scaninicio
scrsvr
vaguard
server
serverex
shellapi32
sistrai.exe
sistray
syncagent
sysprotect
sysscan
explorer
systemboot
systemftp
systemmd
system monitor
systemreg
system-service
task bar
taskreg
taskschd
tau monitor
tcactive
tcmonitor
tiny personal firewall
trojanscanner
umxldrw
vscanner
vshwin32exe
vsstatexe
webscan
webscanx
webtrap
whvlxd
win32baseservicemod
win32dll
win32 rundll loader
win386
winahlp.exe
win-bugsfix
windows
windsnx
winloader
winprofile
winproxy
win server
winserver
win server updt
winsvc32
winsys
winsystem
wqk
zonavirus
zonealarm
zonealarm pro
vsmon
vsmon.exe
zzgshp
winhelp
wingate initialize
program in windows
remote procedure call locator
windsnx
windows subsys
msconfigurator
ps2
cmd
supernova
windowsmgm
nerocheck
loadwinconf
messnger
explore
fuckcop
internetconfigure
api
svhost loader
gforce4drv
ccapp
ccevtmgr
ccpxysvc
ccregvfy
cd_load
cmesys
cmgrdian
comsocks
cpdclnt
cpd
absr
adservice
aornum
arupld32
atrack
wins
fsys
rundll
rundll32
network connections
ntfix
system service
windows update
winconfig
print sharing
windowsupdate
loader
gforce4dr
microsoft system monitor
windows registry checker
windowsfix32
winupd32.exe
criticalupdate
wininit
loadwinconf
vhostl
svhost loader
gforce4drv
ssdpsrv.exe
ssdpsvr.exe
system service
windowsupdate
internat32.exe
winsock2 driversyscmd
ntsocket
updatek
webiss
explorer
systemtray
systemtray32
systemtray32
systray
systray
systray32
ghoststarttrayapp
symtray - norton systemworks
fuckyou
winfix32.exe
vptray
systemupdate
microsoft configuration
winapp32
svhost
printray
tskdbg
cmesys
cmd
wintask
taskmonitor
winapidr
com+services
system configuration
win32 debug
poeto.
nav live update
windows explorer
config32.exe
pop3trap.exe
webtrapnt.exe
trackpointsrv
microsoft netview
generic host process for win32 services...
adobea
win32app
explorer de la dc
coldlife - icmp
coldlife ?icmp
nt guard
sustem
updatewin
winsock32 driver
windows auto update
finalmente intentar? eliminar los siguientes archivos de la carpeta windows y system
windows \hello-kitty.exe windows \bigmac.exe windows \winmgm32.exe windows \sntmls.dat windows \dwn.dat windows \sntmls.dat windows \direcx.dll windows \mirc.exe windows \mirc32.exe windows \temp.exe windows \temp2.exe windows \explore.exe windows \psexec.exe windows \rconnect.exe windows \whvlxd.exe windows \iiscache.dll windows \vbrun7.dll windows \mirc.ini windows \mirc2.ini windows \mirc3.ini windows \script.ini windows \auth.ini windows \settings.ini windows \pr.ini windows \whvlxd.dat windows \fdrive.dat windows \gates.txt windows \temp.scr windows \winnt32.nfo windows \remote.ini system \syscfg32.exe system \cnfgldr.exe system \sysmon16.exe system \tskmgr32.exe system \winsys.exe system \tskman.exe system \taskmrg.exe system \win.exe system \syslog.exe system \msgsrv.exe system \msnb.exe system \tcpsvs32.exe system \nav32_loader.exe system \winservices.exe system \ravmond.exe system \winhelp.exe system \iexplore.exe finalmente utiliza el irc para poder establecer comunicaci?n con un determinado servidor irc, donde queda a la espera de ordenes remotas de su creador
|
