W32/Zhelati.AMB

ZHELATI.MAB, gusano de correo termina procesos se conecta a direcciones IP que contienen falso video de YouTube.

W32/Zhelati.MAB@mm

Zhelati.MAB es un gusano de correo residente en memoria reportado el 29 de Agosto del 2007 de propagación masiva, via correo y HTTP que se conecta a sitios que muestran un falso video de YouTube y descarga una copia del gusano.

Es un PE (Portable Ejecutable) e infecta Windows 98/NT/Me/2000/XP y Server 2003, desarrollado en Visual C++, con una extensión de 137KB y comprimido con el utilitario UPX (Ultimate Packer for eXecutables):

http://upx.sourceforge.net

Posee su propio SMTP (Simple Mail Transfer Protocol) y extrae los buzones de correo de la Libreta de Direcciones de Windows WAB (Windows Address Book) y de los archivos con las siguientes extensiones:

dhtm
shtm

evitando infectar las que tengan una de la siguientes cadenas:

@avp.
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
linux
listserv
local
nobody@
noone@
noreply
ntivi
panda
postmaster@
rating@
root@
samples
sopho
support
update
winrar
winzip

El mensaje tiene las siguientes características:

Asunto, uno de los siguientes:

are you kidding me? lol
Dude of which send that stuff to my home email…
Dude your gonna get caught, lol
Dude, what yew your wife finds this?
HAHAHAHAHAHA, man your insane!
how did you get that one film, man?
I cant belive you did this
LMAO, your crazy man
LOL, dude what are you doing
LOL, that is cool too .....
man, who filmed this thing?
oh man your nutz
ROTFLMAO, who is that your with? C
sheesh man, what are you thinkin
this is too crazy, goal she is hot
where did you hide that camera?
where did you hook up with that?
Where did you take that?
Who is that your with? lol

Contenido:

Dude I know thats you, someone emailed me has link to the video. see for yourself… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
If your mom sees this she this video of you she is gonna freak. here is where I found it… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
LMAO, I cant believe you could this video online. Everyone edge see your face there. LOL check it out yourself http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
Man you cuts got to tell me where you picked her up. I saw this one the Web, it has to be you. see for yourself… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
OMG, what are you doing man. This video of you is all over the Net. go look at it… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
This is not good. Yew this video gets to her husband your both dead. check it out yourself http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
What are you thinking… yew stalemate sees this your divorced dude. : - {) young stag is the link I got http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
Yew your dad see this video you made, He is gonna kill you. take has look, lol… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
Yew your mom sees this she this video of you she is gonna freak. check it out yourself http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
You need to take this offline, it is in everyones email. : - (go look At it… http://www.youtube.com/watch?v=[11_caracteres_aleatorios]
You edge see your face right in the video. its all over the Web dude. this is the link to it. http://www.youtube.com/watch?v=[11_caracteres_aleatorios]

Al ingresar al sistema, el gusano se copia a las siguientes rutas con los nombres:

%System%\spooldr.sys (troyano)
%Windows%\spooldr.exe (gusano)
%Windows%\spooldr.ini (archivo inocuo)

para ejecutarse la próxima vez que se inicie el sistema, crea la siguiente llave de registro:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spooldr" = "%System%\spooldr.exe"

Para controlar las direcciones IP a las cuales se conectará y evitar ser removido, el gusano modifica el archivo TCPIP.SYS, ubicado en:

%System%\drivers\
%System%\dllcache\

%Windir% es una variable que corresponde a C:\Windows en Windows 95/98/Me/XP/Server 2003 y C:\Winnt en Windows NT\2000.

%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP.

Al siguiente inicio del equipo, el gusano inicia su rutina de envio de mensajes de correo y termina cualquiera de los siguientes procesos, en caso estuviesen activados:

1ClickSpyClean.exe
180ax.exe
180sa.exe
!update.exe
a.exe
a2antidialer.exe
a2pr.exe
aaupdt.exe
aawservice.exe
AceClubCasino.exe
acefilesearch.exe
aceziprun.exe
actalert.exe
ActiveNetworkMonitor.exe
Ad-PurgeDemo.exe
adaware.exe
AdAway.exe
AdGold.exe
admagic.exe
adsalert.exe
AdsCleaner.exe
adwarebazooka.exe
AdwareDeluxe.exe
AdwarePatrol.exe
adwarepunisher.exe
AdwareSpy4.exe
adwin.exe
AgentSpyware.exe
AGSeiApp.exe
AGuardDogSuiteNT.exe
akl.exe
AKV.exe
alchem.exe
AlertSpy.exe
alevir.exe
AlfaCleaner.exe
alhlp.exe
alogcfg.exe
alsys.exe
am102.EXE
answers.exe
antispam.exe
antispysoldier.exe
AntivirusGolden.exe
apc_Admin.exe
App.exe
APS.exe
Armor2net.exe
AS100.exe
ashdisp.exe
ashmaisv.exe
ashserv.exe
ashwebsv.exe
aso.exe
aswupdsv.exe
atlantis.exe
atmclk.exe
AutoUpdateRun.exe
avgagent.exe
avgemc.exe
avkbar.exe
avp.exe
avpm.exe
avsched32.exe
avz.exe
baigoo.exe
bargains.exe
BarMan.exe
BazookaBar.exe
bbchk.exe
bdmcon.exe
bdss.exe
BearShare.exe
BECONFIG.EXE
beta.exe
beyondremotefull.exe
bfk.exe
block-checker.exe
bpk.exe
BPSDataShredder.exe
BPSPopupShld.exe
BraveSentry.exe
cavrid.exe
cavtray.exe
ccapp.exe
ccevtmgr.exe
ccimscan.exe
cclaw.exe
cclgview.exe
ccpxysvc.exe
cfgwiz.exe
clamservice.exe
cpd.exe
cpf.exe
crypserv.exe
dfw.exe
dllhost32.exe
dsentry.exe
EbatesMoeMoneyMaker.exe
edonkey2000.exe
eitcwd.exe
ERS.exe
escorcher.exe
ETDScanner.exe
ethscout.exe
ETMP.exe
eww.exe
EyetideController.exe
f-sched.exe
f-stopw.exe
farsighter.exe
FatBuster.exe
fdd.exe
ferret.exe
fie5344.exe
FireWalker.exe
FloboSpywareClean.exe
ForbesAlerts.exe
fpavupdm.exe
freedom.exe
freeprodtb.exe
FroggieScanDemo.exe
fs30.exe
fsav32.exe
fsbl.exe
fsdfwd.exe
fservice.exe
fsm32.exe
ftviewer.exe
fvprotect.exe
fwnet64.exe
gcasdtserv.exe
gcasserv.exe
GeoWhere.2.61.lite.exe
gestionnaire antidote.ex
GetByMail.exe
GiveMeToo.exe
Gnucleus.exe
GoodbyeSpy.exe
GrabBurn.exe
guard.exe
gv.exe
hackmon.exe
HbtOEAddOn.exe
hidownload.exe
HitVirus.exe
hwpe2.exe
iao.exe
icmon.exe
IEWatch20.exe
IncrediMail
inetupd.exe
install.exe
InternetSpy.exe
IntraKey.exe
irsetup.exe
isafe.exe
isamini.exe
isamonitor.exe
isass.exe
isclean.exe
ishost.exe
ismini.exe
isnotify.exe
issearch.exe
issvc.exe
itbill.exe
itunesmusic.exe
iwnvod.exe
ixt0.dll
Jimmy Surf.exe
JustRemoteITServer.exe
kav.exe
kavss.exe
kavsvc.exe
KeyLogger.exe
KeyLover21.exe
KillAndClean.exe
klpf.exe
klswd.exe
kpf4ss.exe
little_helper2.exe
livesrv.exe
LoggerConfigurator.exe
lsasrv.exe
lsass32.exe
magiclink.exe
MagPlayer.exe
MailSkinner.exe
Main.exe
MainWnd.exe
MalScr.exe
MalSwep.exe
MalwareDestroyer.exe
MalWhere.exe
mathchk.exe
mcagent.exe
mcshield.exe
mctskshd.exe
MemoryWatcher.exe
MNS.exe
Mob Masher.exe
moni.exe
monifree.exe
MP3Galaxy.exe
MPPoker.exe
mscornet.exe
msecag.exe
msgsys.exe
MSHUTDOWN.exe
msls32.exe
MsnSniffer.exe
mssearchnet.exe
msssrv.exe
multipl.exe
MWSOEMON.EXE
MyVideoDaily2.exe
navapp.exe
navstub.exe
navw32.exe
NetCtl.exe
NetPumperIEProxy.exe
Netzip.exe
nisum.exe
Njexplor.exe
NLSupervisorPro.exe
no32mon.exe
nod32krn.exe
nod32ra.exe
norton update.exe
nsmdtr.exe
nstask32.exe
nvctrl.exe
OemjiShare.exe
ofcdog.exe
optimize.exe
outpost.exe
Overseer.exe
OverSpy.exe
P2P Networking.exe
pavfnsvr.exe
pbcpl.exe
PBOptions.exe
PC Scanner.exe
pcacmes.exe
PCagent.exe
PCBusted.exe
pcOrion.exe
pcps.exe
PCSmokingGun2.exe
pctptt.exe
pcwatch.exe
Penguin Panic.exe
personalmoneytree.exe
pesttrap.exe
PestWiper.exe
picx.exe
PKViewer.exe
plook.exe
pmmon.exe
pmsngr.exe
pmuninst.exe
POPUPS~1.EXE
powerscan.exe
ppmemcheck.exe
ppsys.exe
ppv5.exe
PrecisionTime.exe
PrivacyCrusaderDemo.exe
PrivateMailReader.exe
ProcAlert.exe
Pronto.exe
prt.exe
PSFree.exe
pxckdla.exe
qconsole.exe
qpanel.exe
rasautou.exe
RazeSpyware.exe
RCPAdmin.exe
rdriv.sys
Recorder.exe
regbar.exe
RegClean32.exe
Registry Fix.exe
RegistryCare.exe
RegistrySweeper.exe
regresc.exe
RemedyAntispy.exe
removeit.exe
RepSvc.exe
RFManager.exe
rpcsetup.exe
rrtcany.dll
rtvscan.exe
RunBackGammon.exe
RunBingo.exe
Safewebsurfer.exe
sandboxieserver.exe
SAR.exe
SaveMyWork.exe
savscan.exe
sb32mon.exe
sbserv.exe
sbsse.exe
Scan&Repair2006.exe
Scanner.exe
scanregw.exe
Scrabble.exe
Sd2006.exe
SecCon.exe
Secret Spy.exe
Security iGuard.exe
SeeStat.exe
serv.exe
service.exe
service32.exe
SGFwSvc.exe
showbar.exe
ShowBehind.exe
sidefind.exe
SK60.exe
skin2000.exe
sks32proc.exe
SlimShield.exe
slman.exe
SmileySource.exe
smoke.exe
smpcpro.exe
smss32bk.exe
SnackMan.exe
sndsrvc.exe
Snoop.exe
SnowballWars.exe
Sp0.exe
sp_rsser.exe
spamihilator.exe
spampal.exe
spbbcsvc.exe
Spedia.exe
Spy Cleaner Gold.exe
Spy Cleaner Platinum.exe
SpyAOL.exe
SpyBro.exe
spycl4.exe
SpyFighter.exe
SpyGraphica.exe
SpyHeal.exe
SpyHunter.exe
SpyiBlock.exe
Spyinator.exe
SpyKiller.exe
SpyLax.exe
SpyMon.exe
SpyOnThis.exe
SpyPry.exe
SpyReaperProDemo.exe
spyrem.exe
spyshield.exe
SpySniper.exe
SpySpotter.exe
SpySub.exe
Spytector.exe
spytrooper.exe
SpyViperProDemo.exe
Spyware_Annihilator.exe
SpywareBot.exe
SpywareDetector.exe
SpywareDisinfector.exe
SpywareQuake.exe
spywareremovalwizard.exe
SpywareRemover.exe
SpywareSlayer.exe
SpywareStormer.exe
SSDemo.exe
sservice.exe
Ssk.exe
ssp.exe
sss.exe
StaffCop.exe
stardialer.exe
StartPoker.exe
stinger.exe
STMonitor.exe
story.exe
sunshinebingo.exe
Surfkeeper.exe
sv.exe
svcmon.exe
swatcher.exe
swdoctor.exe
swnxt.exe
symwsc.exe
syscfg32.exe
sysd.exe
sysformat.exe
syslog.exe
Syslogin.exe
sysmgr32.exe
sysmgr64.exe
system.exe
taskdir.exe
tasker.exe
titanshield.exe
tmoagent.exe
Toolbar_cobrand.EXE
ToolKeylogger.exe
TopSearch.exe
tpcl.exe
truedownloader.exe
TrustCleaner.exe
TTBSETUP.exe
TVS_B.exe
TWAB5.exe
u88.exe
UDC2006.exe
uert.exe
UltraKeyboard.exe
UnSpyPC.exe
update.bat
updsvc.exe
userinit32.exe
usrprmpt.exe
USYP.exe
UTviewer.exe
VCatch.exe
vcehaeb.dll
vetmsg.exe
vetmsg9x.exe
vettray.exe
view.exe
viewer.exe
VIRTUESCOPE.exe
VirusRescue.exe
vptray.exe
was6.exe
wcantispy.exe
Weather.exe
webrebates.exe
websnitch.exe
wfdmgr.exe
whspeedrank.exe
WICleaner.exe
win16dll.exe
WinAV.exe
wincom32.sys
wincp.exe
windll.exe
winlogin.exe
winlogons.exe
winlogonsys.exe
WinPass.exe
WinSL.exe
winsrv32.exe
wmsmod32.exe
wnames.exe
wnetmgr.exe
words.exe
WorldAntiSpy.exe
wrclock.exe
ws.exe
wslogger.exe
WSMDI.exe
WTRTrial.exe
wupdt.exe
X-Con Spyware Destroyer.exe
xcommsvr.exe
xfr.exe
Xolox.exe
xp-antispy.exe
xSpyware.exe
zango.exe
ZangoAstrology.exe
ZangoTVTimes.exe
zapspot.exe
zcodec.exe
ZComService.exe
zilla.exe
ZipItFast.exe

Al hacer click en el enlace del mensaje, se conecta a diversas direcciones IP que abren páginas web falsas con un archivo de video de YouTube. En caso que el usuario haga click en el video, descargará el archivo VIDEO.EXE, que es una copia del gusano que infectará a otors usuarios.

PER ANTIVIRUS® versión 10.2 con registro de virus al 29 de Agosto del 2007 detecta y elimina eficientemente este gusano.