Pero el MyDoom creaba un backdoor que era aprovechado por otros virus, además de hackers especialistas, y hoy se ha descubierto un nuevo virus que entra aprovechando dicho backdoor en los ordenadores infectados por el MyDoom.
Este nuevo virus es el W32/GBOT, que luego se propaga por toda la red de ordenadores de una misma empresa.
Las característioas son:
__________________________________________
Internet Worm Name Risk Assessment
W32/Gbot.worm Corporate User : Low
Home User : Low
Internet Worm Information
Discovery Date: 04/22/2004
Origin: Unknown
Length: varies
Type: Internet Worm
SubType: Internet Worm
Minimum DAT: 4353 (04/28/2004)
Updated DAT: 4353 (04/28/2004)
Minimum Engine: 4.2.40
Description Added: 04/22/2004
Description Modified: 04/22/2004 7:52 AM (PT)
Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Internet Worm Characteristics:
This is an internet worm that spreads both via network shares and by taking advantage of the Mydoom backdoor and installs a backdoor on the victim system.
When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory using a randomly created name and creates a registry run key to load the worm at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "random name" = [random file name].exe
It also creates copies of itself in
C:\My Documents\
Observed names include (depending on the variant):
93,261 AIM_Account_Stealer_Crack.exe
93,558 AIM_Account_Stealer_Full.exe
93,470 AIM_Account_Stealer_Patch.exe
93,400 Cat_Attacks_Child_Full.exe
93,656 Cat_Attacks_Child_ISO_Full.exe
93,187 Cat_Attacks_Child_Key_Generator.exe
93,499 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Full.exe
93,435 CKY3_Bam_Margera_World_Industries_Alien_Workshop_ISO_Full.exe
93,407 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Key_Generator.exe
93,664 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
93,329 DSL_Modem_Uncapper_Crack.exe
93,226 DSL_Modem_Uncapper_Full.exe
93,246 DSL_Modem_Uncapper_ISO_Full.exe
93,466 DSL_Modem_Uncapper_Key_Generator.exe
93,509 Hacking_Tool_Collection_Crack.exe
93,422 Hacking_Tool_Collection_Full.exe
93,424 Hacking_Tool_Collection_ISO_Full.exe
93,495 Hacking_Tool_Collection_Patch.exe
93,452 Internet_and_Computer_Speed_Booster_Crack.exe
93,410 Internet_and_Computer_Speed_Booster_ISO_Full.exe
93,238 Internet_and_Computer_Speed_Booster_Key_Generator.exe
93,287 Internet_and_Computer_Speed_Booster_Patch.exe
93,285 Macromedia_Flash_5.0_Crack.exe
93,194 Macromedia_Flash_5.0_Full.exe
93,599 Macromedia_Flash_5.0_ISO_Full.exe
93,184 Macromedia_Flash_5.0_Key_Generator.exe
93,500 Macromedia_Flash_5.0_Patch.exe
93,345 MSN_Password_Hacker_and_Stealer_Crack.exe
93,599 MSN_Password_Hacker_and_Stealer_Full.exe
93,248 MSN_Password_Hacker_and_Stealer_Patch.exe
93,359 Windows_XP_Crack.exe
93,354 Windows_XP_Full.exe
93,506 Windows_XP_Key_Generator.exe
93,573 ZoneAlarm_Firewall_Full.exe
93,262 ZoneAlarm_Firewall_ISO_Full.exe
93,606 ZoneAlarm_Firewall_Patch.exe
Or:
46,592 AIM_Account_Stealer_Crack.exe
47,011 AIM_Account_Stealer_Full.exe
46,774 AIM_Account_Stealer_ISO_Full.exe
46,979 AIM_Account_Stealer_Key_Generator.exe
46,604 AIM_Account_Stealer_Patch.exe
46,645 Cat_Attacks_Child_Crack.exe
46,644 Cat_Attacks_Child_ISO_Full.exe
46,989 Cat_Attacks_Child_Key_Generator.exe
46,758 Cat_Attacks_Child_Patch.exe
46,765 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Crack.exe
46,760 CKY3_Bam_Margera_World_Industries_Alien_Workshop_Patch.exe
46,900 DSL_Modem_Uncapper_Crack.exe
46,633 DSL_Modem_Uncapper_Full.exe
47,013 DSL_Modem_Uncapper_ISO_Full.exe
46,666 DSL_Modem_Uncapper_Patch.exe
47,039 Hacking_Tool_Collection_Crack.exe
47,030 Hacking_Tool_Collection_Key_Generator.exe
47,077 Hacking_Tool_Collection_Patch.exe
46,773 Internet_and_Computer_Speed_Booster_Crack.exe
46,940 Internet_and_Computer_Speed_Booster_Full.exe
46,661 Macromedia_Flash_5.0_ISO_Full.exe
47,046 Macromedia_Flash_5.0_Key_Generator.exe
47,063 MSN_Password_Hacker_and_Stealer_Full.exe
47,074 MSN_Password_Hacker_and_Stealer_ISO_Full.exe
46,938 MSN_Password_Hacker_and_Stealer_Key_Generator.exe
46,951 Windows_XP_Crack.exe
46,708 Windows_XP_Full.exe
46,731 Windows_XP_ISO_Full.exe
6,903 Windows_XP_Key_Generator.exe
46,768 Windows_XP_Patch.exe
47,036 ZoneAlarm_Firewall_Crack.exe
46,779 ZoneAlarm_Firewall_Patch.exe
The BackDoor component listen on port tcp 113 for incoming connection and connects to an IRC channel at xxx.xxx.108.243 port 6659.
Network Propagation
The worm scans random IPs trying to access the netbios-ssn and microsoft-ds services. Once a system is found, the worm tries to connect to the 'C$' share on that machine.
Athought it could not directly observed it is belived the worm creates a number of files on the victim sysmtem named !ReadMe.exe in the root af all availabe local and network drivers and in
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
This worm can also infect systems already infected by the BackDoor MyDoom.
Top of Page
Symptoms
Unusual outbound network traffic, presence of the above mentioned key in the registry, presence of the above mentioned files.
Top of Page
Method Of Infection
This worm spreads via network shares and via the MyDoom BackDoor.
Top of Page
Removal Instructions
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
__________________________________________
No llega por e-mail, y el riesgo de entrada es si se tiene el port 113 que ell MyDoom ha dejado a la escucha.. Si es el caso, luego abre conexion IRC por el port 6659
Además se propaga por comparticiones administratovas en la Red, a travéx de C$. Al respecto ver como anular las conmparticiones administrativas,,que usan muchos virus, según lo que se explica en:
Se recuerda que michos troyanos como Downloaders, Flood , SDBOT, Graps, Mumu, SLUTER, GBOT, etc entran por comparticiones administrativas, que Windows crea por defecto en cada reinicio, si no se aplica lo indicado en el escrito del link anterior..
saludos
ms, 22-04-2004
msc hotline sat Virus Research Engineer