|
MYDOOM.AR gusano de Correo y P2P deshabilita antivirus y firewalls impide acceso a sus portales web.
|
|
(c) Jorge Machado Lima-Perú
|
|
W32/MyDoom.AR@mm, I.worm.MyDoom.AR@mm
MyDoom.AR es un gusano reportado el 09 de Febrero del 2005, de propagación masiva a través de mensajes de Correo con remitentes disfrazados bajo la técnica Spoofing,
asuntos, contenidos y archivos anexados de nombres aleatorios, con diversas extensiones.
Se propaga además a través de diversas redes Peer to Peer.
Al ser ejecutado muestra un archivo *.TXT con caracteres "basura" abierto con el NotePad.
Deshabilita antivirus, firewalls y software de control. Manipula el HOSTS para impedir que el usuario se conecte a determinados portales de antivirus con el propósito de actualizar sus productos.
Es un PE (Portable Ejecutable) e infecta Windows 95/98/NT/Me/2000/XP,
incluyendo los servidores NT/2000/Server 2003, está desarrollado en Visual C++, con una extensión de 24 KB y comprimido con el utilitario UPX (Ultimate Packer for eXecutables):
http://upx.sourceforge.net
Usando su propio SMTP (Simple Mail Transfer Protocol) se auto-envía a las direcciones de correo contenidas en la Libreta de Direcciones de Windows (WAB), carpeta Temporal de Internet
o de los archivos con las siguientes extensiones:
- wab
- pl
- adb
- tbb
- dbx
- asp
- edm
- vbs
- wml
- js
- tpl
- conf
- vb
- csp
- asm
- asc
- asa
- dwt
- lbi
- rdf
- rss
- xst
- dlt
- xml
- jsp
- inc
- ssi
- stm
- xht
- htc
- hta
- cgi
- php
- sht
- htm
- txt
El mensaje tiene las siguientes características:
Remitente, emplea la técnica Email spoofing que usa aleatoriamente los buzones extraídos del sistema o de los archivos detallados anteriormente.
Asunto, aleatoriamente uno de los siguientes:
- Good day
- Do not reply to this email
- hello
- Mail Delivery System
- Attention!!!
- Mail Transaction Failed
- Server Report
- Status
- Error
Contenido, uno de los siguientes:
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- Do not visit these sites!!!
- You have visited illegal websites. I have a big list of the websites you surfed.
- You think it's funny? You are stupid idiot!!! I'll send the attachment to your ISP and then I'll be watching
how you will go to jail, punk!!!
- Your credit card was charged for $500 USD. For additional in formation see the attachment
- ESMTP [Secure Mail System #334]: Secure message is attached.
- Encrypted message is available.
- Delivered message is attached.
- Can you confirm it?
- Binary message is available.
- am shocked about your document!
- Are you a spammer? (I found your email on a spammer website!?!
- Bad Gateway: The message has been attached.
- Attention! New self-spreading virus!
- Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. to avoid your infection by this virus and to stop it we provide you with full information how to protect yourself
against it and also including free remover. Your can find it in the attachment.
2004 Networks Associates Technology, Inc. All Rights Reserved
- New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a
credit cards for making purchase in the Internet in the attachment.
Please, read it carefully. If you are not agree with new terms
and conditions do not use your credit card in the World Wide Web.
Thank you,
The World Bank Group
2004 The World Bank Group, All Rights Reserved
- Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the
attachment file. It's a real good choise to go to
WORLDXXXPASS.COM
- Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center. There was
a fraud attempt logged by The Internet Fraud Complaint Center from
your IP. This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged
and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation
and the National White Collar Crime Center
- Here is your documents you are requested.
Anexado, uno de los siguientes:
- document
readme
doc
rules
file
data
docs
message
body
Con una de las siguientes extensiones:
se copia a la carpeta %System% con el nombre de lsasrv.exe y para ejecutarse la próxima vez que se re-inicie el sistema crea y modifica las llaves de registro:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"lsass" = "%System%\lsasrv.exe"
en Windows 2000/XP modifica el vínculo Explorer shell a:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shellexplorer = "%System%\lsasrv.exe"
%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP y Windows Server 2003.
Al siguiente inicio del sistema muestra en pantalla un archivo .txt con caracteres "basura", el mismo que es abierto con el NotePad:
luego termina los procesos de los siguientes antivirus, firewalls y software de control:
- i11r54n4.exe
- irun4.exe
- d3dupdate.exe
- rate.exe
- ssate.exe
- winsys.exe
- winupd.exe
- SysMonXP.exe
- bbeagle.exe
- Penis32.exe
- teekids.exe
- MSBLAST.exe
- mscvb32.exe
- sysinfo.exe
- PandaAVEngine.exe
- taskmon.exe
- wincfg32.exe
- outpost.exe
- zonealarm.exe
- navapw32.exe
- navw32.exe
- zapro.exe
- msblast.exe
- netstat.exe
El gusano se inserta en el archivo HOSTS de la ruta %System%\drivers\etc\hosts, para impedir el acceso a diversos portales de antivirus:
- 127.0.0.1 grisoft.com
- 127.0.0.1 www.grisoft.com
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 my-etrust.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 ca.com
- 127.0.0.1 www.ca.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 kaspersky-labs.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 www.viruslist.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 sophos.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 www.symantec.com
Para propagarse vía redes Peer to Peer Kazaa, Morpheus, iMesh, eDonkey y LimeWire, se copia a sus carpetas de descarga, con los siguientes nombres:
- NeroBROM6.3.1.27
- avpprokey
- Ad-awareref01R349
- winxp_patch
- adultpasswds
- dcom_patches
- K-LiteCodecPack2.34a
- activation_crack
- icq2004-final
- winamp5
seguidos de cualquiera de las extensiones .bat, .pif, .scr o .exe.
PER ANTIVIRUS® versión 9.1 con registro de virus al 09 de Febrero del 2005 detecta y elimina eficientemente este gusano.
