w32.noomy.a @mm, w32/noomy-a
tipo: gusano de email
tama?o: 88,576 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.7, registro de virus al 27/09/2004
w32/noomy.a@mm , es un gusano que se propaga v?a e-mail utilizando su propio motor smtp , crea un servidor http en el puerto tcp 8800 y env?a mensajes a salas de chat en el irc, invitandoles a descargar el archivo del gusano.
el gusano se env?a a si mismo a todas las direcciones de e-mail que encuentre en archivos con las siguientes extensiones, .dbx, .htm, .html o .php, y direcciones que encuentre en la libreta de direcciones de windows, dichas direcciones son guardadas en un archivo llamado emls.tmp dentro de la carpeta windows .
el gusano evita enviarse a las direcciones que contengan los siguientes textos:
yahoo.com mail.com rock.com hotmail.com lycos.com webmaster@ myownemail.com fepg.net bravenet.com bluemountain.com google.com netaddress.com iname.com hushmail.com bigfoot.com rocketmail.com johnny mcnatt johnnynik@ monica hays monica2005@ sandra kerry henderson kerrylove@ david lewis david.sw@ jane mcnatt jane.mc@ mail service mailservice@ linda goldstein linda1982@ jill saluck jillsaluck@ office menager office@ webmaster sandra82@ big mymoon mymoon@ angelina hot.angelina@ cindy cindy2005@ britney britney@ caracter?sticas del mensaje de e-mail:
asunto: [puede ser alguno de los siguientes]
re: ecard delivery error: re: voicemail to - delivery error you`ve got 1 new ecard! re: bad request server not found! one new voicemail! id: one new ecard! id: id: new ecard in your inbox! id: you got one voicemail! see online! num: one new ecard from num: one new voicemail from mail delivery (error re: message error! mail: bad request server not found! re: mail system error - returned mail extended mail system error: re: mail delivery error! protected mail server invalid! re: mail delivery: - error re: mail error num: - returned mail: see transcript for details warning!!! why you spam? last notice! regard ! please read... this is not ok ! dont spam!!!!! question about your spam!! irc.afternet.org information!you spam this email: last chance!stop spam this email: i call spam police! stop!!! cuerpo: [alguno de los siguientes]
dear sir,
according to our cognitions you have done next:
the emails are still arriving...
stop to doing that,i call spam police!
actually you have been buring our network and our right is to protect our users.
accourding to that you have been informed about this by phone by our system engineer,
with this letter we want to point you to next facts:
1) your personal account is not restricted in any way and our right is to protect our users and servers;
2) server
has been shuted down beacouse large amount of emails that have been
arricing to our servers and beacouse of adequacy suspicion that it is a spam ramp.
3) unsubscribing system is not functioning!
on unsubscribing attempt result is next:
according to part 10 of personal servie terms of use we are authorized to warn you about this.
as an evidence we have a log file fromour server that is clearly showing date and time when you
i send you log file , to see your ip adress!
have been sending spam emails, your ip address and your username!
please accept this warnning about sending informations to users and wrongly interpret our actions taken in your case as seriously as possible.
if you dont accept this warning we will be forced to refer to our lawyers so we could protect our company intersts.
if you dont understand anything in this email, please contact us via email or by phone for aditional explanations.
according to computer criminal law of usa, act 168v, act you have done is judget to
jail (1-8 years).
best regards,
office manager
---------------------------------
dear customer!
you`ve got 1 ecard voicemessage from ecards.com website!
you can listen your virtual voicemessage at the following link:
http:/ /see.ecards.com/
or by clicking the attached link:
send ecard voicemessage! try our new ecard voicemessage empire!
best regards: ecard.com team (r).
------------------------------
dear user!
you have one new ecard pic to your inbox at ecard.com
login id:
you can see your ecard at the following link:
https:/ /pics.ecard.com/
or by clicking the attached link:
thank you
----------------------------------
one new voice message for you!
from:
can see online: http:/ /voice.ecard.com/
or by clicking the attached link:
test our new service! send you one voice message http://voice.ecards.com
best regards: ecard.com team (r).
-----------------------------------
delivery failed ! error:
the original message was included as attachment
----- the following addresses had permanent fatal errors -----
>>> data or
<<<400-aturner; mail-e-openout, error opening !as as output
--- from server:
>>> mail
to:
<<<400-aturner; -rms-e-cre, acp file create failed
<<<400-aturner; -system-f-exdiskquota, disk quota exceeded
<<<400
--- attachment:
---
attachment: no virus found
kaspersky antivirus - www.kaspersky.com
---------------------------
your message [was not or could not be] delivered because the destination
was
reachable within the allowed queue period. the amount of time
from:
a message is queued before it is returned depends on local configuration parameters.
<<<< ---------------
it is also possible that the computer is turned off, or does not have a mail system running right now.
>>> your message [was not or could not be] delivered within 3 days.
<<< is not responding.
please reply to postmaster!
<<<400 if you feel this message to be in error.
>< automatic message from:
archivo adjunto: [puede ser uno de los siguientes con extensi?n .scr, .exe o .pif ]
sending.www.ecards.com pics.ecards.com see.ecards.com voice.ecards.com secure.ecards.com ecardid.ecards.com secpics.ecards.com online.ecard.com onlinesee.cards.com pics.online.see.com url.ecard.php.ssecxcsd link.index.php.seehere file.url.view.fded live.show.url.see.phpasved log.file logs url.picture.php.seeonline -www.telekom.com -www.usaeunet.com -www.aol.com -www.aol.abuse.co.com -www.scg.net.com -www.pttusa.com -www.police.spam.com -www.usapolice.com -www.nic.uk.com -www.webhosting.com file.logs. mail.log. smtp.serverlog yahoo -hotmail -mailmail fdfseccdsaa.error dde.view nude.only.viewdferes -servise.error index.php.seeedsad.not.found vk.only.error.found private.mail.error2222442 error.msg e-mail unsent.mail msg mail ------------------------------
cuando el gusano se ejecuta visualiza el siguiente falso mensaje de error :
crc error. 5418 #223 close file
seguidamente se copia a si mismo en:
windows \sysconf32.exe
adem?s modifica la siguiente entrada para poder ejecutarse en cada inicio del sistema
hkey_local_machine\software\microsoft\windows\currentversion\run
windows html files= windows \sysconf32.exe
nota:
- windows representa la carpeta de instalaci?n de windows (ej. c:\windows, c:\winnt )
tambi?n crea una carpeta llamada systembck dentro de la carpeta system y se copia a s? mismo dentro de esta como:
xboxiso2romconverter.exe ageofempires2crack.exe ageofmythologyiso.exe battlenetkeygeneratorworks.exe britneyspearsnude.scr burnout2carracing.exe cablemodemuncapper.exe clonecdcrack.exe clonecdallversionskeygenerator.exe copyprotectionremover.exe crazytaxicrack.exe cuteftppro30.exe divxcodecv6.0.exe divxnewestversion.exe divxpatch-increasesquality.exe divxprokeygenerator.exe doom3beta.exe dragonballzcompleteepisodeguide.exe dragonballzepisode1.exe dragonballzshootout.exe gamecubeemulatorworks.exe fifa2004crack.exe grandprix4crack.exe grandtheftauto3cd1crack.exe gta3crack.exe hackintoanycomputer.exe half-lifeonlinekeygenerator.exe half-lifewonkeygenerator.exe j-lonudereal.scr jediknight2crack.exe kazaahack.exe nba2004crack.exe aquanox2crack.exe ut2003bloodpatch.exe unreal2bloodpatch.exe battlefield1942bloodpatch.exe avpcracknew.exe zoneallarmprocrack2004.exe counterstrikerkeygen2004.exe warcraft3keygen.exe adness2.exe n0rt0nantivirus2004.exe neverwinternightscrack.exe nokiasimlockremoverincludesnewmodels.exe nortonantivirus2002.exe rayman2full.exe residentevildivx.exe starwarsepisode2downloader.exe totalimmersionracingiso.exe warcraft3battlenetserialgenerator.exe warcraft3onlinekeygenerator.exe winaps2.exe windowsxpkeygenerator.exe windowsxpserialgenerator.exe windowsxpsp1key-crack.exe winrarandcrack.exe winzip80serial.exe workingisoburner.exe xboxemulatorworks.exe xboxinfo.exe anakurnikovavirualgirl2004.scr battlefield1942bloodpatch.exe angelinarealscreensaver.scr counterstrikehldsv1.1.0.9.exe dvdcoppierv1.5.7bycrash2004.exe funnybush2004movieseptember.scr dvdripperv1.3.2bycrash2004.exe iwormmymoonremovetool2.5.exe evidenceeraserbycrash2004.exe mcaffeeutilitiesv3.11finalbyr2p2k.exe mcaffeeutilitiesv3.11byr2p2k.exe neroburningromv5.5.8.2keygen.exe neroburningromv5.5.8.2serial.exe neroburningromv5.5.8.2bycookie.exe spyagentremotecontrol1.05.exe spycamv6.32.exe spytechspyagentpersonalv3.00.00byamok.exe starcraftbroodwarv1.09byfr.exe unrealtournament2bloodpatch.exe unrealtournament2004bloodpatch.exe windows2004keygen.exe windowsxpkeygen.exe yahoopasswordhacker2004bf.exe zonealarmprov3.0.2.6byorion.exe generalscrack.exe mirc7.0crack.exe napsterclone.exe playgamesonlineforfree.exe ps2emulator.exe ps2iso2romconverter.exe shakiradancing.scr soldieroffortune2mutiplayerserialhack.exe systemmonitor.exe thesimsgamecrack.exe universalgamecrack.exe warcraft3battle.netcrack.exe xboxemulator.exe 1001nesroms.exe windowsxpkeygen.exe deadaim4.0.exe deadaim4.0serial.exe counterstrikemaphack.exe counterstrikeaim_bot.exe aliciasilverstonepayboynude.scr bingo.exe britneyspearsdancebeat.scr ddosclient2005.exe emailbomber447.exe fileserver.exe flashgolf.exe freempegslists.pif freepicslist.pif freepornlists.pif hoesforyousolitare.exe j.lobikiniscreensaver.scr jennajamisondildohumping.scr kamasutratetris.exe kazaaclone.exe kazaamediadesktopv2.0unofficial.exe kazaaspywareremover.exe keygeneratorforallwindowsxpversions.exe keygeneratorforoverreally.exe finaliza todos los procesos que tengan los siguientes nombres
apimonitor.exe ants.exe anti-trojan.exe _avpm.exe _avpcc.exe ackwin32.exe ackwin32.exe advxdwin.exe agentsvr.exe agentw.exe alertsvc.exe alogserv.exe amon9x.exe antivirus.exe aplica32.exe apvxdwin.exe apvxdwin.exe atcon.exe atguard.exe atro55en.exe atupdater.exe atwatch.exe aupdate.exe autodown.exe autotrace.exe autoupdate.exe avconsol.exe avgcc32.exe ctrl.exe avgctrl.exe avgctrl.exe avgserv.exe avgserv.exe avgserv9.exe avgw.exe avkpop.exe avkserv.exe avkservice.exe avkwctl9.exe avp.exe avp32.exe avpcc.exe avpm.exe avpm.exe avsched32.exe avsynmgr.exe avwinnt.exe avxmonitor9x.exe avxmonitornt.exe avxquar.exe avxw.exe bd_professional.exe bidef.exe bidserver.exe bipcp.exe bipcpevalsetup.exe bisp.exe blackd.exe blackd.exe blackice.exe blackice.exe bootwarn.exe borg2.exe bs120.exe ccapp.exe ccevtmgr.exe ccpxysvc.exe cdp.exe cfgwiz.exe cfiadmin.exe cfiaudit.exe cfinet.exe cfinet32.exe cleaner3.exe cleanpc.exe cmgrdian.exe cmon016.exe connectionmonitor.exe cpd.exe cpd.exe claw95.exe claw95cf.exe claw95cf.exe clean.exe cleaner.exe cleaner.exe cleaner3.exe cpf9x206.exe cpfnt206.exe cv.exe cwnb181.exe cwntdwmo.exe defalert.exe defscangui.exe defwatch.exe deputy.exe doors.exe dpf.exe dpfsetup.exe drwatson.exe drweb32.exe dvp95.exe dvp95_0.exe efpeadm.exe ent.exe escanh95.exe escanhnt.exe escanv95.exe etrustcipe.exe evpn.exe exantivirus-cnet.exe expert.exe f-agnt95.exe fameh32.exe fast.exe fch32.exe fih32.exe firewall.exe flowprotector.exe fnrb32.exe f-prot.exe f-prot95.exe fp-win.exe fp-win_trial.exe frw.exe fsaa.exe fsav.exe fsav32.exe fsav530stbyb.exe fsav530wtbyb.exe fsav95.exe fsgk32.exe fsm32.exe fsma32.exe fsmb32.exe f-stopw.exe f-stopw.exe gbmenu.exe gbmenu.exe gbpoll.exe gbpoll.exe generics.exe guard.exe guarddog.exe hacktracersetup.exe htlog.exe hwpe.exe iamapp.exe iamapp.exe iamserv.exe iamserv.exe iamstats.exe icload95.exe icloadnt.exe icmon.exe icsupp95.exe icsuppnt.exe iface.exe ifw2000.exe iomon98.exe iparmor.exe iris.exe isrv95.exe jammer.exe jedi.exe kavlite40eng.exe kavpers40eng.exe kavpf.exe kerio-pf-213-en-win.exe kerio-wrl-421-en-win.exe kerio-wrp-421-en-win.exe killprocesssetup161.exe ldnetmon.exe ldpro.exe ldpromenu.exe ldscan.exe localnet.exe lockdown.exe lockdown2000.exe lockdown2000.exe lsetup.exe luall.exe luau.exe lucomserver.exe luinit.exe luspt.exe mcagent.exe mcmnhdlr.exe mcshield.exe mctool.exe ntvdm.exe mcupdate.exe mcvsrte.exe mcvsshld.exe mfw2en.exe mfweng3.02d30.exe mgavrtcl.exe mgavrte.exe mghtml.exe mgui.exe minilog.exe monitor.exe monitor.exe moolive.exe mpfagent.exe mpfservice.exe mpftray.exe mrflux.exe msconfig.exe msinfo32.exe mssmmc32.exe mu0311ad.exe mwatch.exe nav80try.exe navapsvc.exe navapsvc.exe navapw32.exe navdx.exe navlu32.exe navstub.exe navw32.exe navw32.exe navwnt.exe nc2000.exe ncinst4.exe ndd32.exe neomonitor.exe neowatchlog.exe netarmor.exe netinfo.exe netmon.exe netscanpro.exe netspyhunter-1.2.exe netstat.exe netutils.exe nisserv.exe nisum.exe nmain.exe normist.exe norton_internet_secu_3.0_407.exe notstart.exe npf40_tw_98_nt_me_2k.exe npfmessenger.exe nprotect.exe npscheck.exe npssvc.exe nsched32.exe ntrtscan.exe ntxconfig.exe nui.exe nupgrade.exe nvarch16.exe nvc95.exe nvsvc32.exe nwinst4.exe nwservice.exe nwtool16.exe ostronet.exe outpost.exe outpostinstall.exe outpostproinstall.exe padmin.exe panixk.exe pavproxy.exe pavproxy.exe pcc2002s902.exe pcc2k_76_1436.exe pcciomon.exe pccntmon.exe pccwin97.exe pccwin98.exe pcdsetup.exe pcfwallicon.exe pcip10117_0.exe pcscan.exe pdsetup.exe periscope.exe persfw.exe perswf.exe pf2.exe pfwadmin.exe pingscan.exe platin.exe pop3trap.exe poproxy.exe popscan.exe portdetective.exe portmonitor.exe ppinupdt.exe pptbc.exe ppvstop.exe processmonitor.exe procexplorerv1.0.exe programauditor.exe proport.exe protectx.exe pspf.exe purge.exe pview95.exe qconsole.exe qserver.exe rapapp.exe rav7.exe rav7win.exe rav8win32eng.exe realmon.exe regedit.exe regedt32.exe rescue.exe rescue32.exe rrguard.exe rshell.exe rtvscn95.exe rulaunch.exe safeweb.exe sbserv.exe sbserv.exe scan32.exe scrscan.exe sd.exe setup_flowprotector_us.exe setupvameeval.exe sfc.exe sgssfw32.exe sh.exe shellspyinstall.exe shn.exe smc.exe sofi.exe spf.exe sphinx.exe sphinx.exe spyxx.exe ss3edit.exe st2.exe supftrl.exe supporter5.exe sweep95.exe sweepsrv.sys swnetsup.exe symproxysvc.exe symproxysvc.exe symtray.exe sysedit.exe taskmon.exe taumon.exe tc.exe tca.exe tcm.exe tds2-98.exe tds2-nt.exe tds-3.exe tfak.exe tfak5.exe tgbob.exe titanin.exe titaninxp.exe tracert.exe trjscan.exe trjsetup.exe trojantrap3.exe undoboot.exe update.exe vbcmserv.exe vbcmserv.exe rtvscan.exe vbcons.exe vbcons.exe vbust.exe vbwin9x.exe vbwinntw.exe vcsetup.exe vet32.exe vet95.exe vet95.exe vettray.exe vettray.exe vfsetup.exe vir-help.exe vsmon.exe virusmdpersonalfirewall.exe vnlan300.exe vnpc3000.exe vpc32.exe vpc42.exe vpfw30s.exe vptray.exe vscenu6.02d30.exe vsched.exe vsecomr.exe vshwin32.exe vsisetup.exe vsmain.exe vsmon.exe vsstat.exe vswin9xe.exe vswinntse.exe vswinperse.exe w32dsm89.exe w9x.exe watchdog.exe webscanx.exe webtrap.exe wgfe95.exe whoswatchingme.exe wimmun32.exe winrecon.exe wnt.exe wradmin.exe wradmin.exe wrctrl.exe wrctrl.exe wsbgate.exe wyvernworksfirewall.exe xpf202en.exe zapro.exe zapro.exe zapsetup3001.exe zatutor.exe zauinst.exe zonalm2601.exe zonealarm.exe zonealarm.exe avgnt.exe avguard.exe avwupsrv.exe |
