Jump to content
Geo

Win32.Worm.Mexer.E

By Geo, in Tutoriale in romana

Recommended Posts

Geo Newbie

Geo

Posted
Posted

SIMPTOME:

- Prezenta fisierului C:sysnet

- Prezenta urmatorului fisier in fisierul C:sysnet:

Ruby31.exe (30,720 bytes)

- Prezenta mai multor copii ale Ruby31.exe (30,720 bytes) in fisierul C:sysnet sub diferite nume

- Prezenta urmatoarelor chei de registrii sau intrari:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

"Ruby13"="c:sysnetRuby13.exe"

unde %WINDOWS% indica spre fisierul Windows (sau WinNT in sistemele bazate pe Windows NT)

%SYSTEM% indica spre fisierul "System" pe sistemele Windows 9x si fisierul "System32" in sistemele WinNT.

DESCRIERE TEHNICA:

Virusul se imprastie prin e-mail si, de asemenea, prin retelele Kazaa si Imesh.

De obicei ajunge la destinatar prin intermediul e-mailului. Formatul mailului este urmatorul:

De la: (adresa ascunsa)

Pentru: (adresa “recoltata”)

Subiect: EBAY Information

Corp: EBAY Installer...

Atasament: EBAY.exe

Subiect: VISA Information

Corp: Security Tool...

Atasament: VISA.EXE

Subiect: Provider Information

Corp: New account data...

Atasament: PROVIDER.EXE

Subiect: Your Crack

Corp: Here is your crack!

Atasament: (one of the copies of the virus)

Subiect: Internet Information

Corp: New account data...

Atasament: INTERNET.EXE

Cand este rulat, virusul face urmatoarele:

1. Afiseaza urmatorul mesaj:

Ruby V1.3

Serial: %random%

File crack...

Nota: %random% este un numar luat la intamplare (ex: Numarul serial: 41365345)

2. Creeaza fisierul C:sysnet unde isi face copii sub urmatoarele nume:

A+ Certification Test.exe

Borland KeyGens.exe

BurnDvds.exe

Cisco Certification Test.exe

Counter-Strike, Condition Zero - Activation Key.exe

Counterstrike aim hack.exe

Counterstrike hacks.exe

Crack McAfee 7.exe

Crack Norton 3000.exe

Diablo 2 map hack.exe

Diablo 2 no-cd hack.exe

Dvd Ripper.exe

Dvd To Vcd.exe

Easy Dvd Ripper.exe

EZ Dvd Ripper.exe

icqbomber.exe

Information.exe

MP3 encoder decoder V1.8.exe

MSCE Certification Test.exe

Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe

Nimo Codec Pack Updater.exe

PANDA.AVers.lusers.exe

PANDA.lusers.exe

s Diablo 2 hero editor.exe

SophosCrackAllVersion.exe

Starcraft + Broodwar 1.10 map hack.exe

Starcraft + Broodwar 1.10 no-cd hack.exe

The Frozen Throne map hack.exe

Warcraft 3 Frozen Throne cd-cd hack.exe

Warcraft 3 Frozen Throne map hack.exe

Warcraft 3 map hack.exe

Warcraft 3 no-cd hack.exe

Warcraft 3 stat hack.exe

Windows Nt Certification Test.exe

XBOX X-Fer Ripper and Transfer.exe

Xvid Codec Installer.exe

Si de asemenea isi creeaza copii prin adaugarea

Keygen.exe

Serial.exe

NoCD.exe

Crack.exe

la urmatoarele nume:

Adobe Photoshop CS and ImageReady CS 8.0

Airport Tycoon II -

All Adobe Products

All Macromedia Products

All Microsoft Products

American Conquest -

Apache AH-64 Air Assault -

Battlefield 1942 The Road to Rome -

Battlefield Vietnam -

BitDefender

Bridge Baron 13

Command and Conquer Generals

Deus Ex -

Divx Pro 5.1

Doom 3 -

Dvd Plus

Dvd Wizard Pro

Dvd Xcopy

DvdCopyOne

DvdToVcd

Easy Dvd creator

Eonix Realm Of Hepmia -

Fetish Fighters -

Forbidden Siren -

Freelancer -

Grom -

Harry Potter and the Prisoner of Azkaban KeyGen and

Harry Potter und der Gefangene von Askaban

I Was An Atomic Mutant -

IGI-2 Covert Strike -

Impossible Creatures -

Ipswich Town Official Management Game -

Jamella

Kazaa all

Microsoft Windows XP Professional

Nascar Racing 2003 Season

Nero Burning Rom

Nod32

Norton AntiVirus 2004 Pro Activation Key &

Norton AntiVirus 2005

Norton Internet Security 2004 Keygen &

Norton Internet Security 2004 Pro

Norton Internet Security 2005 Pro

Office XP Universal

Private Nurse -

Robot Arena Design And Destroy -

Serious Sam - Gold Edition -

Shadow of Memories -

Shrek 2

Sim City 4 -

Slot City 3

Spellforce - Breath of Winter

Spider-Man 2

Symantec Antivirus 2005

Symantec Internet Secutiy 2005

Test Drive -

The Campaigns of La Grande Armee -

The Emperors Mahjong -

Tom Clancys Splinter Cell -

Tombstone 1882 -

Unreal II The Awakening -

WinACE

Windows Server 2003

WinRAR 3

WinZIP 9

World Of Outlaws Sprint Car Racing 2002 -

Zone Alarm 5.0 pro

(exemplu: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe)

3. Seteaza folderul de descarcare/sheruit default Kazaa si Imesh pe c:sysnet

4. Creeaza intrarea de registrii:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

"Ruby13"="c:sysnetRuby13.exe"

pentru a rula la startup.

5. Incepe sa recolteze adrese de e-mail in fisiere care au terminatia:

*.wab

*.dbx

*.htm

*.sht

*.txt

*.doc

*.rtf

Dar evitand adresele de e-mail continand:

supp

webm

viru

newv

kasp

micr

root

admi

host

si se trimite la fiecare adresa de e-mail gasita in formatul de e-mail descris mai sus folosind propriile motoare smtp.

6. Poate sa afiseze un mesaj:

Ruby V1.3, ©BI 16.08.2004

Fight against MICROSOFT and make a virus!

INSTRUCTIUNI DE DEZINFECTIE:

- Folositi utilitarul de dezinfectie gratuit pus la dispozitie de BitDefender

- Dezinfectie automata: lasati BitDefender sa stearga/dezinfecteze fisierele gasite infectate.

ANALIZAT DE:

Patrik Vicol BitDefender Virus Researcher

Link to comment
Share on other sites
Trane22_India Newbie

Trane22_India

Posted
Posted

Ciudat sau nu dar o porcarie deasta am eu.Am vrut sa iau un crack al un program.Am download o arhiva am deschiso si a inceput sami apara pe desktop file ciudate.Le-am sters si am dat Ctrl Alt Del si "Command removed by administrator".Am intrat in registry si am activat din nou am inchis fisierul crack.exe si deatuncea imi merge calculatorul ca o caruta, si tot imi spune sa downloadeze programe de remove la care cauti 2 ore ptr un serial si nu le gasesti.Acuma ma chinui sal scot fara sa dau format[dak se pote:D] k am dat 4 formaturi saptamana asta>sper k asta sa ma ajute.Windows-ul imi vede virusul ca Win32NetBooster ceva de gen asta.

Link to comment
Share on other sites
loki Newbie

loki

Posted
Posted

pune-ti antivirus

uita-te la asta

http://rstcenter.com/forum/ce-te-faci-fara-antivirus-t10746.rst

si eventual la asta (dar mai greu)

http://rstcenter.com/forum/viewtopic.php?t=10919

Daca il gasesti sterge-l in safe mode si creeaza un folder cu acelasi nume si extensie. Asa il fortezi sa nu se instaleze

Cauta numele spamului (banuiesc) pe google si gasesti informatii si removal tools. Aici gasesti unul postat de mine si alte informatii:

http://rstcenter.com/forum/viewtopic.php?t=10685

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...