[virusinfo] Mass-Mailing Worm Has Backdoor Component
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Thu, 08 Apr 2004 15:35:02 -0700
From: eSecurity Planet
http://nl.internet.com/ct.html?rtr=on&s=1,ttt,1,lyzv,dcpx,1std,6jmd
Mass-Mailing Worm Has Backdoor Component
April 8, 2004
Several vendors Thursday issued alerts for W32/Netsky-U, a mass mailing worm
with a backdoor component, which is functionally identical to W32/Netsky-S.
According to Sophos, both worms copy themselves to the Windows folder using
the name EasyAV.exe, create a file called uinmzertinmds.opm (a base64
encoded form of the worm) and set the following registry entry to auto start
on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV = \EasyAV.exe
W32/Netsky-S and W32/Netsky-U have a backdoor component listening for
connections on TCP port 6789 allowing an unauthorized program to download
and execute arbitrary code on the infected computer.
The worms harvest email addresses from files on the local drives with the
following extensions:
SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG
More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32netskys.html
According to Symantec, W32.Netsky.U@mm is a mass-mailing worm and a variant
of W32.Netsky.S@mm. This worm also contains backdoor functionality and may
perform a Denial of Service (DoS) attack against predetermined Web sites.
The Subject and Attachment name will vary. The attachment will have a .pif
file extension.
Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.u@xxxxxxx#
technicaldetails
According to McAfee, W32/Netsky.U@mm is very similar to W32/Netsky.t@MM .
It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Email addresses are harvested from the victim machine. Files with certain
extensions are searched.
View them and other information at this McAfee page.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101167
Netsky.U is a worm that spreads by copying itself, without infecting other
files.
Its main objective is to collapse computers and networks, preventing users
from working with the affected computer, according to Panda Software.
Technical details are at this Panda Software page.
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&id
virus=46191
Worm, Trojan, Runs in Background, Allows Unauthorized Computer Access
W32/SdBot-CM is a network worm and a backdoor trojan that runs in the
background as a service process and allows unauthorized remote access to the
computer via IRC channels.
When executed W32/SdBot-CM copies itself to the Windows system folder with
the filename msgfix.exe and sets the following registry entries with the
path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader
W32/SdBot-CM attempts to copy itself to remote network shares with weak
passwords.
More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32sdbotcm.html
Trojan Has Two Components
Troj/Webber-H is a two component backdoor Trojan.
The downloader component of the Trojan appears to have been mass-mailed out.
When run the Trojan downloads a remote file to
C:\windows\usermade.exe and executes it.
The downloaded component is a password stealing Trojan that attempts to
extract sensitive information from several locations on the system and sends
it to a remote computer.
The downloaded component copies itself as a file with a random name into the
Windows system folder and drops and executes a DLL file, also with a random
name, that runs the copy of the Trojan.
In order to be started automatically the Trojan creates certain registry
entries. View them and other information at this Sophos page.
http://www.sophos.com/virusinfo/analyses/trojwebberh.html
Backdoor Trojan Provides Proxy Server on Random Port
Troj/Bagle-X is a proxy backdoor Trojan.
The Trojan runs continuously in the background providing a proxy server on a
random port number above 2000.
Data can be routed to other computers via the proxy in order to bypass
access restrictions and to hide the IP address of the source computer.
The proxy may be used to forward SPAM email.
When first run the Trojan copies itself to the Windows system folder as
window.exe and creates the following registry entry, so that window.exe is
run automatically on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\window.exe
= \window.exe
More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/trojbaglex.html
Trojan Exploits Unpatched IE Vulnerability
VBS/Psyme is a Trojan that exploits an unpatched (at the time of this
writing) vulnerability in Internet Explorer. The vulnerability allows for
the writing, and overwriting, of local files by exploiting the ADODB.Stream
object. There are several variants of this trojan. Therefore this
description is design to give an overview of how the trojan works.
The trojan exists as VBScript.
This script contains instructions to download a remote executable, save it
to a specified location on the local disk, and then execute it.
More information is at this McAfee page.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749
Virus May Not Let Infected Systems Restart
W32.Tunk.A is a file-prepending virus. From May 2004 onward, infected
systems may fail to restart.
Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/w32.tunk.a.html#techn
icaldetails
--Compiled by Esther Shein
__________________________________________________
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Mass-Mailing Worm Has Backdoor Component
