Win32.Worm.Mexer.E

Geo · August 19, 2006

SIMPTOME:

- Prezenta fisierului C:sysnet

- Prezenta urmatorului fisier in fisierul C:sysnet:

Ruby31.exe (30,720 bytes)

- Prezenta mai multor copii ale Ruby31.exe (30,720 bytes) in fisierul C:sysnet sub diferite nume

- Prezenta urmatoarelor chei de registrii sau intrari:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

"Ruby13"="c:sysnetRuby13.exe"

unde %WINDOWS% indica spre fisierul Windows (sau WinNT in sistemele bazate pe Windows NT)

%SYSTEM% indica spre fisierul "System" pe sistemele Windows 9x si fisierul "System32" in sistemele WinNT.

DESCRIERE TEHNICA:

Virusul se imprastie prin e-mail si, de asemenea, prin retelele Kazaa si Imesh.

De obicei ajunge la destinatar prin intermediul e-mailului. Formatul mailului este urmatorul:

De la: (adresa ascunsa)

Pentru: (adresa “recoltata”)

Subiect: EBAY Information

Corp: EBAY Installer...

Atasament: EBAY.exe

Subiect: VISA Information

Corp: Security Tool...

Atasament: VISA.EXE

Subiect: Provider Information

Corp: New account data...

Atasament: PROVIDER.EXE

Subiect: Your Crack

Corp: Here is your crack!

Atasament: (one of the copies of the virus)

Subiect: Internet Information

Corp: New account data...

Atasament: INTERNET.EXE

Cand este rulat, virusul face urmatoarele:

1. Afiseaza urmatorul mesaj:

Ruby V1.3

Serial: %random%

File crack...

Nota: %random% este un numar luat la intamplare (ex: Numarul serial: 41365345)

2. Creeaza fisierul C:sysnet unde isi face copii sub urmatoarele nume:

A+ Certification Test.exe

Borland KeyGens.exe

BurnDvds.exe

Cisco Certification Test.exe

Counter-Strike, Condition Zero - Activation Key.exe

Counterstrike aim hack.exe

Counterstrike hacks.exe

Crack McAfee 7.exe

Crack Norton 3000.exe

Diablo 2 map hack.exe

Diablo 2 no-cd hack.exe

Dvd Ripper.exe

Dvd To Vcd.exe

Easy Dvd Ripper.exe

EZ Dvd Ripper.exe

icqbomber.exe

Information.exe

MP3 encoder decoder V1.8.exe

MSCE Certification Test.exe

Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe

Nimo Codec Pack Updater.exe

PANDA.AVers.lusers.exe

PANDA.lusers.exe

s Diablo 2 hero editor.exe

SophosCrackAllVersion.exe

Starcraft + Broodwar 1.10 map hack.exe

Starcraft + Broodwar 1.10 no-cd hack.exe

The Frozen Throne map hack.exe

Warcraft 3 Frozen Throne cd-cd hack.exe

Warcraft 3 Frozen Throne map hack.exe

Warcraft 3 map hack.exe

Warcraft 3 no-cd hack.exe

Warcraft 3 stat hack.exe

Windows Nt Certification Test.exe

XBOX X-Fer Ripper and Transfer.exe

Xvid Codec Installer.exe

Si de asemenea isi creeaza copii prin adaugarea

Keygen.exe

Serial.exe

NoCD.exe

Crack.exe

la urmatoarele nume:

Adobe Photoshop CS and ImageReady CS 8.0

Airport Tycoon II -

All Adobe Products

All Macromedia Products

All Microsoft Products

American Conquest -

Apache AH-64 Air Assault -

Battlefield 1942 The Road to Rome -

Battlefield Vietnam -

BitDefender

Bridge Baron 13

Command and Conquer Generals

Deus Ex -

Divx Pro 5.1

Doom 3 -

Dvd Plus

Dvd Wizard Pro

Dvd Xcopy

DvdCopyOne

DvdToVcd

Easy Dvd creator

Eonix Realm Of Hepmia -

Fetish Fighters -

Forbidden Siren -

Freelancer -

Grom -

Harry Potter and the Prisoner of Azkaban KeyGen and

Harry Potter und der Gefangene von Askaban

I Was An Atomic Mutant -

IGI-2 Covert Strike -

Impossible Creatures -

Ipswich Town Official Management Game -

Jamella

Kazaa all

Microsoft Windows XP Professional

Nascar Racing 2003 Season

Nero Burning Rom

Nod32

Norton AntiVirus 2004 Pro Activation Key &

Norton AntiVirus 2005

Norton Internet Security 2004 Keygen &

Norton Internet Security 2004 Pro

Norton Internet Security 2005 Pro

Office XP Universal

Private Nurse -

Robot Arena Design And Destroy -

Serious Sam - Gold Edition -

Shadow of Memories -

Shrek 2

Sim City 4 -

Slot City 3

Spellforce - Breath of Winter

Spider-Man 2

Symantec Antivirus 2005

Symantec Internet Secutiy 2005

Test Drive -

The Campaigns of La Grande Armee -

The Emperors Mahjong -

Tom Clancys Splinter Cell -

Tombstone 1882 -

Unreal II The Awakening -

WinACE

Windows Server 2003

WinRAR 3

WinZIP 9

World Of Outlaws Sprint Car Racing 2002 -

Zone Alarm 5.0 pro

(exemplu: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe)

3. Seteaza folderul de descarcare/sheruit default Kazaa si Imesh pe c:sysnet

4. Creeaza intrarea de registrii:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

"Ruby13"="c:sysnetRuby13.exe"

pentru a rula la startup.

5. Incepe sa recolteze adrese de e-mail in fisiere care au terminatia:

*.wab

*.dbx

*.htm

*.sht

*.txt

*.doc

*.rtf

Dar evitand adresele de e-mail continand:

supp

webm

viru

newv

kasp

micr

root

admi

host

si se trimite la fiecare adresa de e-mail gasita in formatul de e-mail descris mai sus folosind propriile motoare smtp.

6. Poate sa afiseze un mesaj:

Fight against MICROSOFT and make a virus!

INSTRUCTIUNI DE DEZINFECTIE:

- Folositi utilitarul de dezinfectie gratuit pus la dispozitie de BitDefender

- Dezinfectie automata: lasati BitDefender sa stearga/dezinfecteze fisierele gasite infectate.

ANALIZAT DE:

Patrik Vicol BitDefender Virus Researcher

Trane22_India · April 22, 2008

Ciudat sau nu dar o porcarie deasta am eu.Am vrut sa iau un crack al un program.Am download o arhiva am deschiso si a inceput sami apara pe desktop file ciudate.Le-am sters si am dat Ctrl Alt Del si "Command removed by administrator".Am intrat in registry si am activat din nou am inchis fisierul crack.exe si deatuncea imi merge calculatorul ca o caruta, si tot imi spune sa downloadeze programe de remove la care cauti 2 ore ptr un serial si nu le gasesti.Acuma ma chinui sal scot fara sa dau format[dak se pote:D] k am dat 4 formaturi saptamana asta>sper k asta sa ma ajute.Windows-ul imi vede virusul ca Win32NetBooster ceva de gen asta.