NUEVO VIRUS LOVGATE.X (REQUIERE DATS MINIMOS DE MCAFEE 4348

Cerrado
Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 92857
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS LOVGATE.X (REQUIERE DATS MINIMOS DE MCAFEE 4348

Mensaje por msc hotline sat » 06 Abr 2004, 13:29

Nuevo Lovgate que se controla a partir de DATS 4348 del proximo 7-04-2004 :



__________________________________________



Virus Name Risk Assessment

W32/Lovgate.x@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 04/04/2004

Origin: Unknown

Length: 12,800 Bytes

Type: Virus

SubType: Worm

Minimum DAT:

Release Date: 4348

04/07/2004

Minimum Engine: 4.2.40

Description Added: 04/05/2004

Description Modified: 04/05/2004 5:15 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This detection is for a new variant of W32/Lovgate. It bears the following characteristics:

Drops a backdoor component (detected as BackDoor-AQJ with 4339 DATS and above)

Attempts to copy itself to poorly secured remote shares, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.

Such copies of the worm may be enticingly named, or within ZIP or RAR archives. The worm carries a list of typical username/password combinations which it uses in attempting to get write access to remote shares

If it is able to access a remote share, it copies itself there as NETMANAGER.EXE, and remotely executes itself as a service on the remote machine.

Creates a share on the victim machine (share name "MEDIA").

Mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Mails are sent in reply to email messages found on the victim machine.

Renames the extensions of EXE files to ZMX.

Terminates certain processes

The backdoor component dropped by this worm is detected as BackDoor-AQJ with the 4339 DATs or greater.



Top of Page



Symptoms

In attempting to copy itself to poorly secured network shares (IPC$ and ADMIN$), the worm generates a significant amount of network traffic. It scans contiguous IP ranges (on port 445) looking for accessibly shares (brute forces with the usernames/passwords it carries).



This worm spreads via Email.



Top of Page



Method Of Infection

When the worm is executed, various files are dropped on the system. The following are copies of the worm (128,000 bytes):

%SysDir%\IEXPLORE.EXE

%SysDir%\kernel66.dll

%SysDir%\hxdef.exe

%SysDir%\RAVMOND.exe

%WinDir%\SYSTRA.EXE

C:\COMMAND.EXE

An AUTORUN.INF file is also dropped to C:\, intended to run COMMAND.EXE via Windows auto-run feature.



The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ):



%SysDir%\msjdbc11.dll

%SysDir%\MSSIGN30.DLL

%SysDir%\ODBC16.dll

%SysDir%\Lmmib20.dll

A copy of the worm (with a COM, EXE, PIF or SCR extension, and one of the filenames below) in a RAR or ZIP archive may also be added to the root of C:\, for example:



c:\pass.RAR

c:\bak.zip

The following Registry keys are added in order to run the worm at system startup:



HKEY_CURRENT_USER\Software\Microsoft\

Windows NT\CurrentVersion\Windows

"run" = RAVMOND.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "Hardware Profile" = %SysDir%\hxdef.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "Microsoft Netmeeting Assoicates, Inc." = Netmeeting .exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "Program In Windows" = %SysDir%\IEXPLORE.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

runServices "SystemTra" = %WinDir%\SysTra.EXE

The following key is added to run the backdoor component at system startup:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run "VFW Encoder/Decoder Settings" =

RUNDLL32.EXE MSSIGN30.DLL ondll_reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run "Protcted Storage" =

RUNDLL32.EXE MSSIGN30.DLL ondll_reg



The backdoor component is also installed as services on the victim machine, bearing the following characteristics:



Service 1

Display name: _reg

ImagePath: Rundll32.exe msjdbc11.dll ondll_server

Startup: automatic



Service 2

Display name: Windows Management Protocol v.0 (experimental)

Description: Windows Advanced Server. Performs scheduled scans for LANguard.

ImagePath: Rundll32.exe msjdbc11.dll ondll_server

Startup: automatic



The following Registry keys house the services information:



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows

Management Protocol v.0 (experimental)

If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:



ADMIN$\SYSTEM32\NETMANAGER.EXE

and remotely executing it as a service. The service bears the following characteristics:



Display name: Windows Management Network Service Extensions

ImagePath: NetManager.exe -exe_start

Startup: Automatic





Email propagation



The worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.



Subject: Re: Original subject

Body:



======

original message body

======

YAHOO.COM Mail auto-reply:



If you can keep your head when all about you

Are losing theirs and blaming it on you;

If you can trust yourself when all men doubt you,

But make allowance for their doubting too;

If you can wait and not be tired by waiting,

Or, being lied about,don't deal in lies,

Or, being hated, don't give way to hating,

And yet don't look too good, nor talk too wise;

... ... more look to the attachment.





> Get your FREE YAHOO.COM Mail now! <





As for contstructing mesages using it's own SMTP engine:



Subject can be any of the following:



hi

hello

Hello

Mail transaction Failed

mail delivery system

Body of the message could be any of the following:



Mail failed. For further assistance, please contact!

The message contains Unicode characters and has been sent as a binary attachment.

It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.

Attachment: (could be randomly constructed string with the following extensions):



EXE

PIF

SCR

ZIP



Termination of Processes



It also searches running processes for the following list of strings, and kills those it finds:



rising

SkyNet

Symantec

McAfee

Gate

Rfw.exe

RavMon.exe

kill

NAV

Duba

KAV

KV



The worm looks for EXE files on the system and renames their extensions to *.ZMX. It then copies itself using the original EXE filename.



e.g., Explorer.exe becomes Explorer.zmx. Then the worm will copy itself as Explorere.exe so everytime Windows Explorer is invoked the worm will run instead.



__________________________________________



Link al respecto:

http://vil.nai.com/vil/content/v_101161.htm



saludos



ms, 06-04-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”