Slurk

SLURK gusano infecta discos removibles de recursos compartidos deshabilita antivirus impide acceso a Internet, etc.

W32/Slurk

Slurk es un gusano reportado el 07 de Junio del 2007 que se propaga a través de servicios de Internet e infecta las unidades de disco removibles y de redes con recursos compartidos.

Deshabilita antivirus y software de seguridad, termina procesos y servicios. Desestabiliza la seguridad de Windows.

Modifica el archivo HOSTS para impedir el acceso a sitios web relacionados a software antivirus.

Infecta Windows 95/98/NT/Me/2000/XP y Server 2003, está programado en Visual C++ con 47.5KB de extensión.

Al activarse se copia a la carpeta %System% con los nombres de archivos:

%System%\alligt.exe
%System%\severe.exe
%System%\drivers\conime.exe
%System%\drivers\nkruls.exe
%System%\hx1.bat
%System%\noruns.reg

el gusano libera una copia de un archivo capturador de información en la ruta:

%System%\alligt.dll

y para activarse la próxima vez que se re-inicie el sistema crea las llaves:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"alligt" = "%System%\severe.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nkurls" = "%System%\alligt.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\drivers\conime.exe"

%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP y Windows Server 2003.

Para deshabilitar diversos antivirus y software de seguridad crea las llaves:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
"Debugger" = "%System%\drivers\nkruls.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe]
"Debugger" = "%System%\drivers\nkruls.exe"

Para desestabilizar la seguridad del sistema crea las sub-llaves:

[HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"Checked Value" = "0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = "b5"

Al siguiente inicio del equipo el gusano termina los siguientes procesos:

sc.exe
cmd.exe
net.exe
sc1.exe
net1.exe
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
EGHOST.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe

asi como tambien los siguientes servicios:

srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsCCenter
RsRavMon

al infectar el archivo HOSTS le antepone el valor 127.0.0.1 para impedir el acceso a sitios web de antivirus y software de seguridad:

127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

Luego revisa todas la unidades de disco removibles y de recursos compartidos y se copia a cada una de ellas:

[Unidad_disco]:\autorun.inf
[Unidad_disco]:\OSO.exe

el gusano borra los archivos:

%System%\hx1.bat
%System%\noruns.reg

finalmente cambia la fecha del sistema infectado a Enero 22, 2004

PER ANTIVIRUS® versión 10.1 con registro de virus al 07 de Junio del 2007 detecta y elimina eficientemente este gusano.