Strict Standards: Accessing static property Database::$database as non static in /home/manual/public_html/includes/class/Database.class.php on line 26
Manual informática de w32/anker.d

w32/anker.d

Imagen biografía
Categoría: Gusanos de e-mail
Valora este manual:





 
Enviada por: Administrador

Manual de informática de w32/anker.d

w32. ahker.d@mm, worm_ahker.d, email-worm.win32.anker.d
tipo: gusano de e-mail
tama?o: 13,824 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.7, registro de virus al 16/02/2005
w32/anker.d@mm , es un gusano que difunde a trav?s de envi? masivos de e-mail utiliza librer?as mapi (messaging application programming interface) para enviar copias de si mismo a todas las direcciones que encuentre en la libreta de direcciones del computador atacado.
caracter?sticas del mensaje de e-mail:
asunto: [variable, uno de los siguientes]
blaster new variant...protect your system! read! symantec disaster! symantec vs blaster blaster strikes again...please read! please read! please read!! read it! read this for your pc safety! read this please! cuerpo:
dear user, a new variant of the worm blaster has been released a week
ago! its spreading faster than it ever did, this version of blaster has
been classified as category
symantec has developped a new patch file which will prevent the new
variant of blaster to be executed and keep your system safe and clean.
symantec strongly recommends you to download and install the patch file
before its too late!
the patch file can be found in the attachment, please make sure you
install it before being infected, because if youre already infected, the
patch file cannot fix/remove this type of threat as its not yet studied
quite good.
symantec will soon release the removal tool for this threat.
so if you dont often visit symantec.com, we recommend you to visit us
everyday to be in touch with the news of this type of threat. p.s: we
would like to thank mr.bazzi for making this patch file.
regards,
symantec, www.symantec.com
archivo adjunto: patch.zip
--------------------------------
cuando el gusano se ejecuta se copia a s? mismo en:
windows \ccapp.exe userprofile \start menu\programs\startup\norton.exe nota:
- windows representa la carpeta de instalaci?n de windows (ej. c:\windows, c:\winnt )
tambi?n modifica las siguientes entradas en el registro para poder ejecutarse en cada inicio del sistema:
hkey_local_machine\software\microsoft\windows\currentversion\run
norton auto-protect= windows \ ccapp.exe
hkey_local_machine\software\microsoft\windows\currentversion\runservices
symantec service= windows \ ccapp.exe
tambi?n modifica los siguientes valores para intentar en deshabilitar las notificaciones del firewall, antivirus:
hkey_local_machine\software\policies\microsoft\windowsfirewall\domainpofile
enablefirewall=1
hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile
enablefirewall=1
hkey_current_user\software\policies\microsoft\windowsfirewall\domainprofile
enablefirewall=1
hkey_current_user\software\policies\microsoft\windowsfirewall\standardprofile
enablefirewall=1
tambi?n cambia algunos valores en el registro para modificar los niveles de seguridad:
hkey_local_machine\software\policies\microsoft\windows\windowsupdate\au
auoptions=1
hkey_current_user\software\policies\microsoft\windows\windowsupdate\au
auoptions=1
hkey_current_user\software\policies\microsoft\windows\windowsupdate\au
noautoupdate=1
hkey_local_machine\software\policies\microsoft\windows\windowsupdate\au
noautoupdate=1
hkey_current_user\software\microsoft\security center
antivirusdisablenotify= 1
hkey_local_machine\software\microsoft\security center
antivirusdisablenotify= 1
hkey_current_user\software\microsoft\security center
firewalldisablenotify= 1
hkey_local_machine\software\microsoft\security center
firewalldisablenotify= 1
hkey_current_user\software\microsoft\security center
updatesdisablenotify= 1
hkey_local_machine\software\microsoft\security center
updatesdisablenotify= 1
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer
disallowrun= 1
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer
norun= 1
hkey_current_user\software\microsoft\windows nt\currentversion\systemrestore
disablesr=1
hkey_local_machine\software\microsoft\windows nt\currentversion\systemrestore
disablesr=1
tambi?n modifica las siguientes entradas para deshabilitar el regedit y el administrador de tareas:
hkey_current_user\software\microsoft\windows\currentversion\policies\system
disableregistrytools=0
hkey_current_user\software\microsoft\windows\currentversion\policies\system
disabletaskmgr=1
modifica las siguientes entradas en el registro:
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
1 = regedit.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
10 = alunotify.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
11 = norton.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
12 = dap.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
2 = notepad.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
3 = wordpad.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
4 = write.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
5 = wuauclt.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
6 = wupdmgr.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
7 = msnmsgr.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
8 = luall.exe
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\disallowrun
9 = aupdate.exe
al modificar dichas entradas el gusano deshabilita los siguientes programas:
regedit.exe notepad.exe wordpad.exe write.exe wuauclt.exe wupdmgr.exe program files \msn messenger\msnmsgr.exe program files \symantec\liveupdate\luall.exe program files \symantec\liveupdate\aupdate.exe program files \symantec\liveupdate\alunotify.exe sobrescribe el archivo winword.exe cuando se abre un archivo .doc, tambi?n deshabilita el bloqueo de scripts para permitir la ejecuci?n del gusano.
intenta finalizar los siguientes procesos:
lsass.exe msblast.exe pandaavengine.exe penis32.exe services.exe svchost.exe sysmonxp.exe bbeagle.exe d3dupdate.exe i11r54n4.exe irun4.exe msblast.exe mscvb32.exe navapw32.exe navw32.exe netstat.exe msblast.exe pandaavengine.exe penis32.exe services.exe svchost.exe sysmonxp.exe bbeagle.exe d3dupdate.exe i11r54n4.exe outpost.exe rate.exe ssate.exe sysinfo.exe taskmon.exe teekids.exe wincfg32.exe winsys.exe winupd.exe zapro.exe zonealarm.exe finalmente el gusano sobrescribe el archivo hosts que se encuentra en system \drivers\etc\ , para redireccionar direcciones urls al localhost (127.0.0.1)
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 grisoft.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
1992/2005


Comparte este manual:


Comparte este manual por email con un amigo/a:

Tu nombre
Tu email
El nombre de tu amigo
El email de tu amigo