Sunday, January 7, 2007

  • Dref:
Spreads through:
    1. Email messages
    2. Network shares
    3. Infected files
Side Effects:
    1. Turns off anti-virus applications
    2. Sends itself to email addresses found on the infected computer
    3. Drops more malware
    4. Downloads code from the internet
    5. Reduces system security
    6. Installs itself in the Registry
W32/Dref-V is a virus with mass-mailing capability for the Windows platform.W32/Dref-V spreads to other network computers and via email.
W32/Dref-V sends emails with the following characteristics:
From:

Subject line: "Happy New Year!"

Message text:

Attached file: postcard.exe

or

From:

Subject line: chosen from
  1. "Annual Fun Forecast!"
  2. "Baby New Year !"
  3. "Best Wishes For A Happy New Year!"
  4. "Fun 2007!"
  5. "Fun Filled New Year!"
  6. "Happiness And Continued Success!"
  7. "Happiness and Success!"
  8. "Welcome 2007!"
  9. "Wish You Smiles And Good Cheer!"
  10. "Warm New Year Hug!"
Message text:

Attached file:chosen from

  • Postcard.exe
  • Greeting Card.exe
  • Greeting Postcard.exe
A typical email sent by the Dref-V worm.

W32/Dref-V includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Dref-V copies itself to \alsys.exe and creates the following registy keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Agent
\alsys.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
\alsys.exe

W32/Dref-V sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

  • Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
W32/Dref-V may also attempt to drop a randomly named file into the current folder and run it.
  • Netsky:
W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.

The worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
= \FVProtect.exe

The worm will also copy itself to various peer-to-peer shared folders as the following files:
  1. 1001 Sex and more.rtf.exe
  2. 3D Studio Max 6 3dsmax.exe
  3. ACDSee 10.exe
  4. Adobe Photoshop 10 crack.exe
  5. Adobe Photoshop 10 full.exe
  6. Adobe Premiere 10.exe
  7. Ahead Nero 8.exe
  8. Altkins Diet.doc.exe
  9. American Idol.doc.exe
  10. Arnold Schwarzenegger.jpg.exe
  11. Best Matrix Screensaver new.scr
  12. Britney sex xxx.jpg.exe
  13. Britney Spears and Eminem porn.jpg.exe
  14. Britney Spears blowjob.jpg.exe
  15. Clone DVD 6.exe
  16. Cloning.doc.exe
  17. Cracks & Warez Archiv.exe
  18. Dark Angels new.pif
  19. Dictionary English 2004 - France.doc.exe
  20. DivX 8.0 final.exe
  21. Doom 3 release 2.exe
  22. E-Book Archive2.rtf.exe
  23. Eminem full album.mp3.exe
  24. Eminem Song text archive.doc.exe
  25. Eminem.mp3.exe
  26. Full album all.mp3.pif
  27. Gimp 1.8 Full with Key.exe
  28. Harry Potter 1-6 book.txt.exe
  29. Harry Potter 5.mpg.exe
  30. Harry Potter all e.book.doc.exe
  31. Harry Potter e book.doc.exe
  32. Harry Potter game.exe
  33. Harry Potter.doc.exe
  34. How to hack new.doc.exe
  35. Internet Explorer 9 setup.exe
  36. Kazaa Lite 4.0 new.exe
  37. Kazaa new.exe
  38. Keygen 4 all new.exe
  39. Learn Programming 2004.doc.exe
  40. Lightwave 9 Update.exe
  41. Magix Video Deluxe 5 beta.exe
  42. Matrix.mpg.exe
  43. Microsoft Office 2003 Crack best.exe
  44. Microsoft WinXP Crack full.exe
  45. MS Service Pack 6.exe
  46. netsky source code.scr
  47. Norton Antivirus 2005 beta.exe
  48. Opera 11.exe
  49. Partitionsmagic 10 beta.exe
  50. Porno Screensaver britney.scr
W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

The worm has a trigger date of 24 March 2004, at which time it will attempt to mass mail.

Attached filename:

  1. Attachment: No Virus found
  2. MessageLabs AntiVirus - www.messagelabs.com
  3. Attachment: No Virus found
  4. Bitdefender AntiVirus - www.bitdefender.com
  5. Attachment: No Virus found
  6. MC-Afee AntiVirus - www.mcafee.com
  7. Attachment: No Virus found
  8. Kaspersky AntiVirus - www.kaspersky.com
  9. Attachment: No Virus found
  10. Panda AntiVirus - www.pandasoftware.com
W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.
  • Mytob:
Side Effects:
  1. Allows others to access the computer
  2. Sends itself to email addresses found on the infected computer
  3. Forges the sender's email address
  4. Uses its own emailing engine
W32/Mytob-C is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.

The worm will attempt to harvest email addresses from the local hard disk by scanning files with extensions WAB, PL, ADB, TBB, DBX, ASP, PHP, SHTL and HTM.
  • Stratio:
W32/Stratio-Zip is a family of zip files containing worms in the Stration family.
  • Bagle:
Anti-Virus detects as W32/Bagle-Zip the password-protected archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W, W32/Bagle-AA , W32/Bagle-AF, W32/Bagle-AG, W32/Bagle-CL, W32/Bagle-KL and W32/Bagle-KM.
  • Zafi:
Aliases:
  1. I-Worm.Zafi.b
  2. W32/Zafi.b@MM
  3. Win32/Zafi.B
  4. W32.Erkez.B@mm
  5. PE_ZAFI.B
W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself to the Windows system folder as a randomly named EXE file.

This worm will test for the presence of an internet connection by attempting to connect to www.google.com or www.microsoft.com.

W32/Zafi-B collects email addresses from files which have the following extensions:

HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.

The worm stores the collected email addresses in randomly named files with a
DLL extension in the Windows system folder.

W32/Zafi-B attempts to include itself as an attachment in email messages sent to addresses collected from the local machine. The worm will also copy itself into shared P2P folders as either 'WINAMP 7.0 FULL_INSTALL.EXE' or
'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.

W32/Zafi-B may display a message box on screen containing the following Hungarian text:
Below are examples of the emails sent by W32/Zafi-B.

Subject: Ingyen SMS!
Message:
------------------------ hirdet=E9s -----------------------------
A sikeres 777sms.hu =E9s az axelero.hu t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t a www.777sms.hu oldalon tal=E1lsz, de siess,
mert az els=F5 ezer felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!
------------------------ axelero.hu ---------------------------
Subject: You`ve got 1 VoiceMessage!
Message: Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
http://virt.voicemessage.com/index.listen.php2=35affv
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).

Subject: Check this out kid!!!
Message: Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
  • Mydoom:
W32/MyDoom-O is an email worm.

W32/MyDoom-O creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.

W32/MyDoom-O searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-O and the percentage chance that each is used are:
  1. www.google.com (45%)
  2. search.lycos.com (22.5%)
  3. search.yahoo.com (20%)
  4. www.altavista.com (12.5%)
The email sent by the worm has a spoofed sender.

--Dear user of
Mail server administrator of would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week. We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server. Please follow our instructions in the attachment file in order to keep your computer safe. Virtually yours
 user support team.--
  • Sality:
Side effects:
  1. Records keystrokes
Aliases:
  1. Virus.Win32.Sality.q
  2. W32/Sality.x
  3. Win32/Sality.NAJ
  4. PE_SALITY.AS
W32/Sality-AA is a virus that also acts as a keylogger.

W32/Sality-AA creates the file \vcmgcd32.dll. This file is also detected as W32/Sality-AA.

The virus logs keystrokes to certain windows, as well as information about the infected computer. This logged data is periodically submitted to a remote website.
  • Nyxem:
Side effects-
  1. Turns off anti-virus applications
  2. Sends itself to email addresses found on the infected computer
  3. Deletes files off the computer
  4. Forges the sender's email address
  5. Uses its own emailing engine
  6. Downloads code from the internet
  7. Reduces system security
  8. Installs itself in the Registry
Alliases-
  1. Email-Worm.Win32.VB.bi
  2. CME-24
  3. WORM_GREW.A
  4. W32.Blackmal.E@mm
  5. W32/Tearec.A.worm
  6. Email-Worm.Win32.Nyxem.e
  7. W32/MyWife.d@MM
  8. Win32/Mywife.E@mm
  9. WORM_NYXEM.E
W32/Nyxem-D is an email and network worm for the Windows platform.

W32/Nyxem-D may open an empty dropped ZIP file in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar with the text "Update Please wait" if it detects the presence of anti-virus software. W32/Nyxem-D may also attempt to close windows, terminate programs, remove registry entries and delete files related to security and anti-virus programs.

W32/Nyxem-D sends itself to email addresses it harvests from files on the infected computer, sending itself as if from one contact to another.Message bodies may contain images that cannot be displayed:
W32/Nyxem-D attempts to spread to network shares with weak passwords.
  • Stardl:
Side effects-
  1. Downloads code from the internet
Troj/StraDl-B is a downloader Trojan for the Windows platform.

When run Troj/StraDl-B attempts to download a file from a remote website and run it. This file is currently detected as W32/Strati-Gen.







Posted by akshay at 10:49 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)