Συνημμένο Αρχείο 7136
Drives searched for autorun.inf
C:, D:, E:, G:,
Results of Search
autorun.inf on C:
autorun•η±©
[autorun]
open=
shell\open=΄ςΏ(&O)
shell\open\Command=WScript.exe .\autorun.vbs
shell\open\Default=1
shell\explore=ΧΚΤ΄ΉάΐνΖχ(&X)
shell\explore\Command=WScript.exe .\autorun.vbs
autorun.inf on D:
[autorun]
OPEN=Autorun.exe
ICON=Autorun.exe
autorun.inf on E:
[autorun]
open=autorun.exe
icon=icon.ico
ΒΗΜΑ 1ο:
ΠΡΩΤΑ ΑΠΟ ΟΛΑ ΠΡΕΠΕΙ ΝΑ ΚΑΝΕΙΣ ΕΝΑ BACKUP ΑΠΟ ΤΑ SYSTEM TOOLS
ΑΝ ΕΧΕΙΣ ΕΛΛΗΝΙΚΑ WINDOWS ΠΑΝΕ ΒΟΗΘΗΜΑΤΑ ----- ΕΡΓΑΛΕΙΑ ΣΥΣΤΗΜΑΤΟΣ----- ΕΠΑΝΑΦΟΡΑ ΣΥΣΤΗΜΑΤΟΣ ΚΑΙ ΚΑΝΕ ΔΗΜΙΟΥΡΓΙΑ ΝΕΟΥ ΣΗΜΕΙΟΥ ΕΠΑΝΑΦΟΡΑΣ
SOS NA TO ΘΥΜΑΣΑΙ ΓΙΑ ΜΕΤΑ ΓΡΑΨΕ Π.Χ. "ΠΡΙΝ ΤΟΝ ΙΟ"
ΒΗΜΑ 2ο:
Click here to download HJTsetup.exe http://rapidshare.com/files/16696204/HJTsetup.rar
• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
ΚΑΙ ΜΕΤΑ ΚΑΝΕ ΜΟΥ COPY-----PASTE ΑΥΤΟ ΠΟΥ ΘΑ ΣΟΥ ΒΓΑΛΕΙ
ΠΕΡΙΜΕΝΩ
ΒΗΜΑ 3ο:
ΚΑΤΕΒΑΣΕ ΤΟ ΑΡΧΕΙΟ GETAUTORUN.EXE:
http://rapidshare.com/files/16696233/GetAutoruns.zip
ΚΑΙ ΣΤΕΙΛΕ ΜΟΥ TO POST ΠΟΥ ΚΑΝΕΙ ΟΠΩΣ ΚΑΙ ΠΡΟΗΓΟΥΜΕΝΟΣ!!!!
ΕΙΝΑΙ ΣΗΜΑΝΤΙΚΟ ΝΑ ΜΟΥ ΚΑΝΕΙΣ COPY ----- PASTE TA ΑΡΧΕΙΑ ΠΟΥ ΔΗΜΙΟΥΡΓΗΘΗΚΑΝ ΥΠΑΡΧΟΥΝ ΑΛΛΑ ΔΥΟ ΒΗΜΑΤΑ ΠΟΥ ΜΠΟΡΕΙΣ ΝΑ ΑΚΟΛΟΥΘΙΣΕΙΣ ΠΡΙΝ ΤΟ ΤΕΛΙΚΟ!!!!!
ΒΗΜΑ 4ο:
ΠΡΕΠΕΙ ΝΑ ΚΑΝΟΥΜΕ BACKUP TA ΝΕΑ REGISTRY ΚΑΤΕΒΑΣΕ ΤΟ http://rapidshare.com/files/16696159/erunt-setup.rar
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.
5ο ΒΗΜΑ ( ΤΕΛΕΥΤΑΙΟ!!)
Registry Modifications
ΤΕΛΕΥΤΑΙΟ ΒΗΜΑ ΛΟΙΠΟΝ ΚΑΙ ΚΑΝΟΥΜΕ ΤΑ ΕΞΕΙΣ:
ΚΑΤΕΒΑΖΟΥΜΕ ΤΑ 2 ΠΡΟΓΡΑΜΜΑΤΑ ΠΟΥ ΦΑΙΝΟΝΤΑΙ ΠΑΡΑΚΑΤΩ
ΤΡΕΧΟΥΜΕ ΠΡΩΤΑ ΤΟ ΑΡΧΕΙΟ Regfix.reg ΠΟΥ ΚΑΝΕΙ FIX ΤΑ REGISTRY ΚΑΙ ΠΑΤΑΜΕ Yes ΟΤΑΝ ΖΗΤΑΕΙ to merge into the registry, ΤΕΛΟΣ ΤΡΕΧΟΥΜΕ ΤΟ Delautoruns.bat ΤΟ ΠΑΡΑΘΥΡΟ ΤΟΥ MS-DOS ΜΠΟΡΕΙ ΝΑ ΤΡΕΜΟΠΑΙΞΕΙ ΓΙΑ ΔΕΥΤΕΡΟΛΕΠΤΑ ΕΙΝΑΙ ΦΥΣΙΟΛΟΓΙΚΟ.
ΜΕΤΑ ΑΠΟ ΑΥΤΑ RESTART!
ΚΑΝΕ Download KAI ΤΡΕΞΕ ΤΑ ΠΑΡΑΚΑΤΩ 2 ΑΡΧΕΙΑ:
http://rapidshare.com/files/16696245/Regfix.zip
http://rapidshare.com/files/16696218/DelAutoruns.zip
Κάνε Restart (οπωσδήποτε) και πες μου τι έγινε (θα πρέπει με δεξί κλικ στο c: drive να εμφανίστηκαν επιτέλους το OPEN και το ΕXPLORE!!!!!!!!!!!!!!!!!!!!!
(ΓΙΑ ΟΠΟΙΑΔΗΠΟΤΕ ΑΠΟΡΙΑ ΕΙΜΑΙ ΣΤΗΝ ΔΙΑΘΕΣΗ ΣΑΣ!!!)
ΑΝ ΚΑΤΙ ΔΕΝ ΞΕΡΕΤΕ ΠΩΣ ΝΑ ΤΟ ΚΑΝΕΤΕ ΣΤΕΙΛΤΕ ΜΗΝΥΜΑ ΚΑΙ ΘΑ ΣΑΣ ΠΩ ΚΑΛΥΤΕΡΑ ΝΑ ΠΕΡΙΜΕΝΕΤΕ ΛΙΓΟ (ΜΕΧΡΙ ΝΑ ΑΠΑΝΤΗΣΩ) ΠΑΡΑ ΝΑ ΤΟ ΚΑΝΕΤΕ ΛΑΘΟΣ!
ΑΝ ΟΛΑ ΠΗΓΑΝ ΚΑΛΑ (ΠΟΥ ΘΑ ΠΗΓΑΝ ΣΙΓΟΥΡΑ) ΕΝΑ ΕΥΧΑΡΙΣΤΩ ΜΟΥ ΑΡΚΕΙ!!!
ΑΦΟΥ ΑΦΑΙΡΕΣΑΜΕ ΜΕ ΕΠΙΤΥΧΙΑ ΤΟ TROJAN ΑΣ ΠΟΥΜΕ ΚΑΙ ΛΙΓΑ ΛΟΓΙΑ ΑΚΟΜΑ ΓΙΑ ΤΟ ΤΙ ΚΑΝΕΙ!!!!! ΚΑΙ ΔΕΝ ΚΑΝΕΙ ΚΑΙ ΛΙΓΑ
VBS.Gaggle.E is a variant of VBS.Gaggle.D. It is a mass-mailing worm that overwrites several files. This worm can infect the following file types:
• .vbs
• .vbe
• .js
• .jse
• .hta
• .htm
• .html
• .php
• .shtm
• .shtml
• .phtm
• .phtml
• .mht
• .mhtml
• .plg
• .htx
The worm retrieves the email addresses from the files that have .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, or .htx extensions. Then, it uses its own SMTP engine to send email to all the email addresses that it finds. The worm can also spread through ICQ, and some file-sharing networks.
The From field of the email is spoofed, the subject line and message vary, and the attachment is Filezip.zip.
Also Known As:
I-Worm.Gedza [Kaspersky], VBS/Gedza.A [F-Prot]
Variants:
VBS.Gaggle.B@mm, VBS.Gaggle.C, VBS.Gaggle.D
Type: Worm
Infection Length:
Varies, about 260k, 30,721 bytes, 17,409 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:
DOS, Linux, Macintosh, Macintosh OS X, Novell Netware, OS/2, UNIX
Wild
• Number of infections: 0 - 49
• Number of sites: 0 - 2
• Geographical distribution: Low
• Threat containment: Easy
• Removal: Moderate
Wild:
Low Damage:
Medium Distribution:
High
Damage
• Payload Trigger: n/a
• Payload: n/a
o Large scale e-mailing: Sends itself to all the email addresses that it collects from the local system.
o Deletes files: n/a
o Modifies files: Overwrites .vbs, .vbe, .js, .jse, .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, and .htx files with itself.
o Degrades performance: n/a
o Causes system instability: n/a
o Releases confidential info: n/a
o Compromises security settings: n/a
Distribution
• Subject of email: Varies
• Name of attachment: Filezip.zip
• Size of attachment: n/a
• Time stamp of attachment: n/a
• Ports: n/a
• Shared drives: Generates random IP addresses and attempts to copy itself to those IP addresses. Spreads through various file-sharing networks.
• Target of infection: n/a
When VBS.Gaggle.E runs, it does the following:
1. Creates copies of itself in the %System% folder as some of these file names:
• File.vbs
• Gedzac.vbs
• hta.vbs
• Israfel.vbs
• pubprn.vbs
• Kernel32.win
• Mouse_configurator.win
• Winmgd.win
• Backup.vbs
• Template.htm (A .html file containing the worm.)
• Filezip.zip (A .zip archive of the worm.)
Notes:
• %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
• The worm may insert some garbage data into the files, so that the size of the files vary.
2. Creates the following files in the %System% folder:
• Regsrv.exe: 17,409 bytes. Detected as Trojan.KillAV.
• Sendi.exe: 30,721 bytes. A component of the worm.
• Pkzip.exe: A legitimate program.
• AvrilLavigne.jpg: 12,549 bytes. A .jpg file.
• C:\Estigma.hta: 354 bytes. A harmless .html file.
• iwn.dat
• iw.dat.
• ixn.dat
• ix.dat
Note: The worm attempts to use the .dat files to infect the Microsoft Word and Excel files.
3. Adds the values:
"Kernel32"="%System%\Kernel32.win"
"Israfel"="%System%\Israfel.vbs"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
4. Modifies the default value to:
"(Default)"="GEDZAC"
in the registry keys:
• HKEY_CLASSES_ROOT\regfile\shell\open\command
• HKEY_CLASSES_ROOT\keyfile\shell\open\command
5. Modifies the value to:
"Timeout"="0"
in the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Settings
6. Modifies the value to:
"DisableRegistryTools"="1"
in the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\
Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Policies\System
7. Copies %comshell% to all the hard drives as \inetpub\scripts\israfel.exe.
Note: %Comshell% is a variable. The worm locates the default command shell. For example, this can be command.com or cmd.exe.
8. Creates an iisroot.asp file in the \inetpub\wwwroot folder and its subfolders. This file is not viral by itself.
9. Modifies the following line to the [boot] section of the System.ini file:
shell=Explorer.exe %System%\winmgd.win
so that the worm runs when you start Windows 95/98/Me.
10. Modifies the following line to the [windows] section of the Win.ini file:
run=%System%\mouse_configurator.win
so that the worm runs when you start Windows 95/98/Me.
11. If the date of the system clock is the third day of the month, the .html file, C:\Estigma.hta, will be displayed. This file only contains text.
12. If the date of the system clock is the 19th day of the month, the following message will be displayed:
19/12/2003 - Saludos a Cienciano Campeon 2003 de la Copa Sudamericana
13. If the date of the system clock is the 11th day of the month, the following message will be displayed:
Luego del alevoso ataque de eeuu y sus aliados
contra Iraq, aun tiene bush el descaro de decir
que lo hizo por libertar al pueblo o por la
democracia, como si eso le interesara, solo le
interesa tener gobiernos titeres y el petroleo
(investiguen sobre su dizque reconstruccion
de Iraq), desde los 90 que se pretendia derrocar
al gobierno de Iraq, quien le dio el derecho de decidir que
gobiernos deben ser derrocados o no, acaso
se cree el policia del mundo, una de las frases
favoritas del Asesino de bush, es el 'origen
del mal' el es eso.
Y para terminar otra de sus frases 'que Dios bendiga a los eeuu' ojala lo haga
porque lo van a nesecitar, porque algun
dia eeuu pagara por querer decirle al
mundo como tiene que vivir
(Mensage en contra del Gobierno de eeuu, no del pueblo)"
14. If the date of the system clock is the 26th day of the month, the following message will be displayed:
"Soy una ballena de color azúl mi espalda sopla y tu ves esa fuente
de agua limpia aún. Nuestra casa abierta, era el ancho mar
Viajábamos en paz, sin manchas de petróleo que evitar
Busco un sitio puro donde descansar no hay muchas como yo
me tengo que cuidar de ti. Nubes blancas, cielo transparente
y el humano compartiendo con otros, un sueño que quizás ya no regrese
pues ya es tarde para todos nosotros
Soy el cóndor majestuoso del Perú, mi cuello gira y tú
me miras con ojos de luz. Busco un sitio alto donde recordar
que hubo un tiempo mejor, pues como yo no quedan más
Si tus hijos te preguntan cómo fui, no sé que les dirás, me tuve que alejar de ti
Cordilleras blancas dominando, todo ser que se alimenta del río
hombres en aldeas cultivando, sin decirle al campo dame lo que es mío
Estás equivocado, no sabes dónde vas
guanacos, osos panda, renos, águilas, delfines y todo lo demás
Estás equivocado no sabes dónde vas
un espíritu ronda por la selva llorando lo que fue el jaguar
bienvenido al mundo del hombre construído con detergentes y también con alquitrán
Soy una ballena de color azúl mi espalda sopla y tú
ves esa fuente de agua limpia aún
(Cancion perteneciente a 'Los Nosequien y Los Nosecuantos')
El 26 de Abril es el día de la Tierra, protegela"
15. If the date of the system clock is the 29th of the month, the worm will open the Web page, www.arvil-lavigne.com.
16. Retrieves the shared folder of SoulSeek by querying the following registry key:
HKEY_CURRENT_USER\Software\SoulSeek\InstallPath
17. Copies %System%\Filezip.zip, to the following folders, if the folders exist:
• C:\My Downloads
• C:\My Shared Folder
• C:\Program Files\appleJuice\incoming
• C:\Program Files\BearShare\Shared
• C:\Program Files\eDonkey2000\incoming
• C:\Program Files\Gnucleus\Downloads
• C:\Program Files\Grokster\My Grokster
• C:\Program Files\ICQ\shared files
• C:\Program Files\KaZaA\My Shared Folder
• C:\Program Files\KaZaA Lite\My Shared Folder
• C:\Program Files\KMD\My Shared Folder
• C:\Program Files\LimeWire\Shared
• C:\Program Files\Morpheus\MyShared Folder
• C:\Program Files\Overnet\incoming
• C:\Program Files\Shareaza\Downloads
• C:\Program Files\Swaptor\Download
• C:\Program Files\WinMX\My Shared Folder
• C:\Program Files\Tesla\Files
• C:\Program Files\XoloX\Downloads
• C:\Program Files\Rapigator\Share
• C:\Archivos de programa\appleJuice\incoming
• C:\Archivos de programa\BearShare\Shared
• C:\Archivos de programa\eDonkey2000\incoming
• C:\Archivos de programa\Gnucleus\Downloads
• C:\Archivos de programa\Grokster\My Grokster
• C:\Archivos de programa\ICQ\shared files
• C:\Archivos de programa\KaZaA\My Shared Folder
• C:\Archivos de programa\KaZaA Lite\My Shared Folder
• C:\Archivos de programa\KMD\My Shared Folder
• C:\Archivos de programa\LimeWire\Shared
• C:\Archivos de programa\Morpheus\MyShared Folder
• C:\Archivos de programa\Overnet\incoming
• C:\Archivos de programa\Shareaza\Downloads
• C:\Archivos de programa\Swaptor\Download
• C:\Archivos de programa\WinMX\My Shared Folder
• C:\Archivos de programa\Tesla\Files
• C:\Archivos de programa\XoloX\Downloads
• C:\Archivos de programa\Rapigator\Share
•
as the following file names:
• ACDSee 5.5.zip
• AOL Instant Messenger.zip
• AVP Antivirus Pro Key Crack.zip
• Age of Empires 2 crack.zip
• Ana Kournikova Sex Video.zip
• Animated Screen 7.0b.zip
• AquaNox2 Crack.zip
• Audiograbber 2.05.zip
• BabeFest 2003 ScreenSaver 1.5.zip
• Babylon 3.50b reg_crack.zip
• Battlefield1942_bloodpatch.zip
• Battlefield1942_keygen.zip
• Britney Spears Sex Video.zip
• Buffy Vampire Slayer Movie.zip
• Business Card Designer Plus 7.9.zip
• Clone CD 5.0.0.3 (crack).zip
• Clone CD 5.0.0.3.zip
• Coffee Cup Free zip 7.0b.zip
• Cool Edit Pro v2.55.zip
• Crack Passwords Mail.zip
• Credit Card Numbers generator(incl Visa,MasterCard,...).zip
• Cristina Aguilera Sex Video.zip
• DVD Copy Plus v5.0.zip
• DVD Region-Free 2.3.zip
• Diablo 2 Crack.zip
• DirectDVD 5.0.zip
• DirectX Buster (all versions).zip
• DirectX InfoTool.zip
• DivX Video Bundle 6.5.zip
• Download Accelerator Plus 6.1.zip
• Edonkey2000-Speed me up scotty.zip
• FIFA2003 crack.zip
• Final Fantasy VII XP Patch 1.5.zip
• Flash MX crack (trial).zip
• FlashGet 1.5.zip
• FreeRAM XP Pro 1.9.zip
• GTA 3 Crack.zip
• GTA 3 Serial.zip
• Game Cube Real Emulator.zip
• GetRight 5.0a.zip
• Global DiVX Player 3.0.zip
• Gothic2 licence.zip
• Guitar Chords Library 5.5.zip
• Hentai Anime Girls Movie.zip
• Hitman_2_no_cd_crack.zip
• Hot Babes XXX Screen Saver.zip
• HotGirls.zip
• Hotmail Hacker 2003-Xss Exploit.zip
• ICQ Pro 2003a.zip
• ICQ Pro 2003b (new beta).zip
• IrfanView 4.5.zip
• Jenifer Lopez Sex Video.zip
• KaZaA Hack 2.5.0.zip
• KaZaA Speedup 3.6.zip
• Kazaa SDK + Xbit speedUp for 2.xx.zip
• Links 2003 Golf game (crack).zip
• Living Waterfalls 1.3.zip
• MSN Messenger 5.2.zip
• Mafia_crack.zip
• Matrix Movie.zip
• Matrix Screensaver 1.5.zip
• Mcafee Antivirus Scan Crack.zip
• MediaPlayer Update.zip
• Microsoft KeyGenerator-Allmost all microsoft stuff.zip
• NBA2003_crack.zip
• NHL 2003 crack.zip
• Need 4 Speed crack.zip
• Nero Burning ROM crack.zip
• Netbios Nuker 2003.zip
• Netfast 1.8.zip
• Network Cable e ADSL Speed 2.0.5.zip
• Nimo CodecPack (new) 8.0.zip
• Norton Anvirus Key Crack.zip
• PS2 PlayStation Simulator.zip
• PalTalk 5.01b.zip
• Panda Antivirus Titanium Crack.zip
• Pop-Up Stopper 3.5.zip
• Popup Defender 6.5.zip
• Quick Time Key Crack.zip
• QuickTime_Pro_Crack.zip
• Sakura Card Captor Movie.zip
• Screen saver christina aguilera naked.zip
• Screen saver christina aguilera.zip
• Security-2003-Update.zip
• Serials 2003 v.8.0 Full.zip
• Sex Live Simulator.zip
• Sex Passwords.zip
• SmartFTP 2.0.0.zip
• SmartRipper v2.7.zip
• Space Invaders 1978.zip
• Spiderman Movie.zip
• Splinter_Cell_Crack.zip
• Starcraft serial.zip
• Start Wars Trilogy Movies.zip
• Steinberg_WaveLab_5_crack.zip
• Stripping MP3 dancer+crack.zip
• Thalia Sex Video.zip
• Trillian 0.85 (free).zip
• TweakAll 3.8.zip
• UT2003_bloodpatch.zip
• UT2003_keygen.zip
• UT2003_no cd (crack).zip
• UT2003_patch.zip
• Unreal2_bloodpatch.zip
• Unreal2_crack.zip
• VB6.zip
• Virtua Girl (Full).zip
• VirtualSex.zip
• Visual Basic 6.0 Msdn Plugin.zip
• Visual basic 6.zip
• WarCraft_3_crack.zip
• WinOnCD 4 PE_crack.zip
• WinRar 3.xx Password Cracker.zip
• WinZip 9.0b.zip
• WinZipped Visual C++ Tutorial.zip
• Winamp 3.8.zip
• WindowBlinds 4.0.zip
• Windows XP complete + serial.zip
• Windows Xp Exploit.zip
• Winzip KeyGenerator Crack.zip
• XNuker 2003 2.93b.zip
• Yahoo Messenger 6.0.zip
• Zelda Classic 2.00.zip
• aol cracker.zip
• aol password cracker.zip
• cable modem ultility pack.zip
• counter-strike.zip
• delphi.zip
• divx pro.zip
• divx_pro.zip
• hotmail_hack.zip
• iMesh 3.6.zip
• iMesh 3.7b (beta).zip
• mIRC 6.40.zip
• macromedia dreamweaver key generator.zip
• mp3Trim PRO 2.5.zip
• pamela_anderson.zip
• play station emulator.zip
• serials2000.zip
• subseven.zip
• virtua girl - adriana.zip
• virtua girl - bailey short skirt.zip
• warcraft 3 crack.zip
• warcraft 3 serials.zip
• winamp plugin pack.zip
• winzip full version key generator.zip
18. Creates the following files in the %Temp% folder:
• imh.dat
• iml.dat
• imv.dat
Notes:
• %Temp% is a variable. The worm locates the temporary folder and copies itself to that location. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
• These files are not viral by themselves. The worm retrieves the email addresses from the Microsoft Outlook Address Book and from the files with .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, or .htx extensions. Then, it saves the email addresses to these files.
19. Overwrites the .vbs, .vbe, .js, .jse, .hta, .htm, .html, .php, .shtm, .shtml, .phtm, .phtml, .mht, .mhtml, .plg, and .htx files with itself.
20. Generates random IP addresses and attempts to connect to the IP addresses using the following user names and passwords:
•
•
•
•
• name
• %null%
• %username%
• %username%12
• %username%123
• %username%1234
• 123
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 654321
• 54321
• 1
• 111
• 11111
• 111111
• 11111111
• 000000
• 00000000
• 22
• 5201314
• 88888888
• 888888
• passwd
• password
• sql
• database
• admin
• test
• server
• computer
• secret
• oracle
• sybase
• root
• Internet
• super
• user
• manager
• security
• public
• private
• default
• 1234qwer
• 123qwe
• abcd
• abc123
• 123abc
• abc
• 123asd
• asdf
• asdfgh
• KKKKKKK
• !@#$
• !@#$%
• !@#$%^
• !@#$%^&
• !@#$%^&*
• !@#$%^&*(
• !@#$%^&*()
• intel
21. Copies itself to the remote computer as autorun.vbs. Then, it overwrites the autoexec.bat file with the line:
@win \autoexec.vbs
22. Creates a file named wininit.ini under %Windir%. This file is not malicious by itself.
23. Adds the line:
run=autorun.vbs
to the [windows] section of the file, Win.ini, on the remote computer.
24. Overwrites all the .vbs files on drive A with itself. If it does not find any .vbs files on drive A, it will copy itself as one of the following:
• A:\Israfel.vbs
• A:\Document.txt.vbs
• A:\Image.jpg.vbs
• A:\Loreley.jpg.vbs
• A:\Vigilancia.txt.vbs
25. Uses its email component, sendi.exe, to send itself to all the email addresses that it finds.
The worm uses the current user's SMTP server or one of the following servers to spread itself:
mx1.latinmail.com
mx1.hotmail.com
The email has the following characteristics:
From: The sender's name is randomly selected from a list that the worm carries.
Attachment: Filezip.zip
Subject: Subject line is randomly selected from the list that the worm carries.
Message: The message body is randomly selected from the list that the worm carries.
It may begin with one of the following texts:
=============================Mcaffe Virus Scan=============================
Resultado del Anßlisis: Mensaje y Adjunto libre de virus
===========================================================================
=============================Mcaffe Virus Scan=============================
Result gives the Analysis: Message and Added free he gives virus
===========================================================================
For example, the subject and the message can be one of the following:
Subject: Postal Animada
Message:
Ha recibido una postal desde esta direccion
para verla descarguela antes de 7 dias de recibido este e-mail
Un Servicio de FreeCards
Subject: Cartoons
Message:
Nuestra pagina de Cartoons viene recargada
mira este que se titula: El inofensivo pajarito
Subject: Free ScreenSaver
Message: Mira este screensaver, y si te gusta, visita nuestra page
Subject: FordWare
Message: Sabes lo que es el FordWare?, entonces mira este
Subject: Espero te guste
Message: Mira la postal =)
Subject: Esta es buena
Message: Haber que te parece a ti?
Subject: Aviso Importante
Message:
Debido a la nueva politica del servidor, se pide a los usuarios
completar el nuevo registro a fin de poder conservar sus cuentas de correo
Subject: Sexo Tantrico
Message:
Conoces el sexo tantrico?
Tantra: Antigua disciplina oriental para mejorar el rendimiento sexual
Aprendelo y nota la diferencia.
Subject: Significado de los nombres
Message: Quieres saber el significao de tu nombre, o apellido o de donde proviene?
Subject: Manual Seduccion
Message: Quieres conquistar una pareja?, prueba con estos consejos
Subject: ilusiones
Message: Mira la foto adjunta 20 segundos y veras algo
Subject: Hi
Message: Te envio las imagenes que pediste, bye
Subject: Help me
Message: please open file
Subject: Mail Return System
Message: El correo no pudo ser enviado a uno o mßs destinatarios.
Subject: Fotos en tu email
Message: XXX Todo Vale XXX
26. Sends email to the attacker. The email may contain the stolen information and email addresses that the worm finds on an infected computer.
Creates the following registry keys:
HKEY_LOCAL_MACHINE\Software\GEDZAC LABS\Israfel\Parent
HKEY_LOCAL_MACHINE\Software\GEDZAC LABS\VBS.Israfel\Info
Δημοσίευση σχολίου