« Torna alla lista delle News

19
gen
2006

Nuovo Virus W32.Blackmal.E


Come dicevo nella premessa, eccoti venir fuori un bel virus con l'avvento del 2006.

Prendo i dettagli dal sito della Symantec che spiega in dettaglio come si propaga e come debellarlo... Disponibile anche un utilissimo tools per la rimozione qui!

-------------------------------------------------------------------------------------------------------------------------------

W32.Blackmal.E@mm

When W32.Blackmal.E@mm is executed, it performs the following actions:

  • Copies itself as one of the following files:

    • %Windir%\Rundll16.exe
    • %System%\scanregw.exe
    • %System%\Winzip.exe
    • %System%\Update.exe
    • %System%\WINZIP_TMP.EXE
    • %System%\SAMPLE.ZIP
    • %System%\New WinZip File.exe
    • movies.exe
    • Zipped Files.exe

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  • Creates an empty .zip file using the same file name as the worm itself in the %System% folder. It then opens this file in order to hide its functionality.

  • Adds the value:

    "ScanRegistry" = "scanregw.exe /scan"

    to the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  • Modifies the values:

    "WebView" = "0"
    "ShowSuperHidden" = "0"


    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

  • Modifies the value:

    "FullPath" = "0"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState

  • Modifies registry entries found under the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses

  • Deletes the following files:

    • %ProgramFiles%\DAP\*.dll
    • %ProgramFiles%\BearShare\*.dll
    • %ProgramFiles%\Symantec\LiveUpdate\*.*
    • %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
    • %ProgramFiles%\Norton AntiVirus\*.exe
    • %ProgramFiles%\Alwil Software\Avast4\*.exe
    • %ProgramFiles%\McAfee.com\VSO\*.exe
    • %ProgramFiles%\McAfee.com\Agent\*.*
    • %ProgramFiles%\McAfee.com\shared\*.*
    • %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
    • %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
    • %ProgramFiles%\Trend Micro\Internet Security\*.exe
    • %ProgramFiles%\NavNT\*.exe
    • %ProgramFiles%\Morpheus\*.dll
    • %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
    • %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
    • %ProgramFiles%\Grisoft\AVG7\*.dll
    • %ProgramFiles%\TREND MICRO\OfficeScan\*.dll
    • %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
    • %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  • Queries the following values:

    "Home Directory"
    "NAV"
    "Folder"
    "InstallLocation"


    under the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps
    HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\101
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum


    and deletes all .exe files found in the folders it locates.

  • Queries the value:

    "Folder"

    in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal

    and deletes all files found in the folder it locates.

  • Queries the value:

    "Path"

    in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe

    and deletes all *.exe and *.ppl files in the folder it locates.

  • Closes windows whose title contains any of the following strings:

    • SYMANTEC
    • SCAN
    • KASPERSKY
    • VIRUS
    • MCAFEE
    • TREND MICRO
    • NORTON
    • REMOVAL
    • FIX

  • Deletes the values:

    PCCIOMON.exe
    pccguide.exe
    Pop3trap.exe
    PccPfw
    Tmproxy
    McAfeeVirusScanService
    NAVAgent
    PCCClient.exe
    SSDPSRV
    rtvscn95
    defwatch
    vptray
    ScanInicio
    APVXDWIN
    KAVPersonal50
    kaspersky
    TMOutbreakAgent
    AVG7_Run
    AVG_CC
    Avgserv9.exe
    AVGW
    AVG7_CC
    AVG7_EMC
    VetAlert
    VetTray
    OfficeScanNTMonitor
    avast!
    DownloadAccelerator
    BearShare


    from the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices


  • Gathers email addresses from files with the following extensions:

    .htm
    .dbx
    .eml
    .msg
    .oft
    .nws
    .vcf
    .mbx
    .imh
    .txt
    .msf

    The worm also gathers email addresses from files with one of the following strings in the full name :

    • CONTENT.
    • TEMPORARY

  • Attempts to send itself as an email to the addresses it gathers using its own SMTP engine. The email will have the following characteristics:

    Subject:
    One of the following:

    • *Hot Movie*
    • A Great Video
    • Fw:
    • Fw: DSC-00465.jpg
    • Fw: Funny :)
    • Fw: Picturs
    • Fw: Real show
    • Fw: SeX.mpg
    • Fw: Sexy
    • Fwd: Crazy illegal Sex!
    • Fwd: image.jpg
    • Fwd: Photo
    • give me a kiss
    • Miss Lebanon 2006
    • My photos
    • Part 1 of 6 Video clipe
    • Photos
    • Re:
    • School girl fantasies gone bad

      Message body:
      One of the following:

    • Note: forwarded message attached. You Must View This Videoclip!
    • >> forwarded message
    • Re: Sex Video
    • i just any one see my photos.
    • It's Free :)
    • The Best Videoclip Ever
    • Hot XXX Yahoo Groups
    • Fuckin Kama Sutra pics
    • ready to be FUCKED ;)
    • forwarded message attached.
    • VIDEOS! FREE! (US$ 0,00)
    • What?
    • i send the file.
    • Helloi attached the details.
    • Thank you
    • the file i send the details
    • hello,
    • Please see the file.
    • how are you?
    • i send the details.

      Attachment:
      One of the following:

    • 007.pif
    • 392315089702606E-02,.scR
    • 677.pif
    • Adults_9,zip.sCR
    • Arab sex DSC-00465.jpg
    • ATT01.zip.sCR
    • Attachments[001],B64.sCr
    • Clipe,zip.sCr
    • document.pif
    • DSC-00465.Pif
    • DSC-00465.pIf
    • eBook.pdf
    • eBook.PIF
    • image04.pif
    • New Video,zip
    • New_Document_file.pif
    • photo.pif
    • Photos,zip.sCR
    • School.pif
    • SeX,zip.scR
    • Sex.mim
    • Video_part.mim
    • WinZip,zip.scR
    • WinZip.BHX
    • WinZip.zip.sCR
    • Word XP.zip.sCR
    • Word.zip.sCR
    • 04.pif
    • DSC-00465.Pif
    • DSC-00465.pIf
    • image04.pif

      The attachment may be an executable file or a MIME file that contains an executable file. Those attachments that are MIME files may have the following file names:

    • 3.92315089702606E02.UUE
    • Attachments[001].B64
    • Attachments00.HQX
    • Attachments001.BHX
    • eBook.Uu
    • Original Message.B64
    • Sex.mim
    • SeX.mim
    • Video_part.mim
    • WinZip.BHX
    • Word_Document.hqx
    • Word_Document.uu

      These files may also have one the following file names:

    • 392315089702606E-02
    • Clipe
    • Miss
    • Photos
    • Sweet_09

      These file names will be combined with one of the following extensions:

    • .b64
    • .BHx
    • .HQX
    • .mim
    • .uu
    • .UUE
    • .XxE

      If the attachment is a MIME file, it may contain a file with one of the following file names:

    • 392315089702606E-02,UUE[BLANK SPACES].scr
    • Adults_9,zip[BLANK SPACES].scr
    • ATT01.zip[BLANK SPACES].scr
    • Atta[001],zip[BLANK SPACES].scr
    • Attachments,zip[BLANK SPACES].scr
    • Attachments[001],B64[BLANK SPACES].scr
    • Clipe,zip[BLANK SPACES].scr
    • New Video,zip[BLANK SPACES].scr
    • Photos,zip[BLANK SPACES].scr
    • SeX,zip[BLANK SPACES].scr
    • WinZip,zip[BLANK SPACES].scr
    • WinZip.zip[BLANK SPACES].scr
    • Word XP.zip[BLANK SPACES].scr
    • Word.zip[BLANK SPACES].scr

  • Searches the network for the following shared folders, where it copies itself as WINZIP_TMP.EXE:

    • ADMIN$
    • C$

      The worm also copies itself using the same file name to network shares protected by weak passwords.

  • Attempts to access the following URL:

    [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247

  • Enumerates the computers in the same domain as the host computer by using WNetOpenEnum.

  • Executes the command "net use /user:administrator" to connect to that computer.

    Note: If the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.

  • Attempts to delete the following folders on the computer it connects to:

    • \C$\Program Files\Norton AntiVirus
    • \C$\Program Files\Common Files\symantec shared
    • \C$\Program Files\Symantec\LiveUpdate
    • \C$\Program Files\McAfee.com\VSO
    • \C$\Program Files\McAfee.com\Agent
    • \C$\Program Files\McAfee.com\shared
    • \C$\Program Files\Trend Micro\PC-cillin 2002
    • \C$\Program Files\Trend Micro\PC-cillin 2003
    • \C$\Program Files\Trend Micro\Internet Security
    • \C$\Program Files\NavNT
    • \C$\Program Files\Panda Software\Panda Antivirus Platinum
    • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
    • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
    • \C$\Program Files\Panda Software\Panda Antivirus 6.0
    • \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

  • Attempts to execute the following command on the compromised computer to execute its copy at the end of the hour:

    at :59 /interactive \\\Admin$\WINZIP_TMP.exe
    at :59 /interactive \\\C$\WINZIP_TMP.exe
       


  • « Torna alla lista delle News