Strict Standards: Accessing static property Database::$database as non static in /home/manual/public_html/includes/class/Database.class.php on line 26
Manual informática de w32/gibe.b

w32/gibe.b

Imagen biografía
Categoría: Gusanos
Valora este manual:





 
Enviada por: Administrador

Manual de informática de w32/gibe.b

i-worm.gibe.b, worm_gibe.b, w32/gibe.b@mm, w32/gibe-d, win32.gibe.b@mm
w32.gibe.b@mm, gibe.b, worm.w32/gibe.b@mm

tipo: gusano
tama?o: 155,648 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.4 al 08/03/2003
w32/gibe.b es un gusano que se transmite vía e-mail. utiliza su propio motor smtp, para enviarse a si mismo a todos los contactos de la libreta de direcciones de windows y outlook. también se difunde a través de carpetas compartidas, la red de intercambio de archivos kazaa e irc y esta escrito en visual basic.
características del mensaje de e-mail:
asunto: check this security patch from m+ corporation
cuerpo:
microsoft nombre [donde nombre puede ser cualquiera de los siguientes: customer, client, consumer, partner ]
this is the latest version of security update, the
february 2003, cumulative patch update which eliminates all
known security vulnerabilities affecting internet explorer,
outlook and outlook express as well as five newly discovered
vulnerabilities. install now to protect your computer from these
vulnerabilities, the most serious of which could allow an attacker to
run executable on your system. this update includes the functionality
of all previously released patches.
system requirements:
win 9x/me/2000/nt/xp
this update applies to:
microsoft internet explorer, version 4.01 and later
microsoft outlook, version 8.00 and later
microsoft outlook express, version 4.01 and later
recommendation:
customers should install the patch at the earliest opportunity.
how to install:
run attached file. click yes on displayed dialog box.
how to use:
you dont need to do anything after installing this item.
microsoft technical support is available at
http://support.microsoft.com/
for security-related information about microsoft products,
please visit the microsoft security advisor web site at
http://www.microsoft.com/security
contact us at
http://www.microsoft.com/isapi/goregwiz.asp?target=/contactus/contactus.asp
please do not reply to this message. it was sent from an unmonitored
e-mail address and we are unable to respond to any replies.
thank you for using microsoft products.
archivo adjunto: [el nombre es elegido de la siguiente lista, tiene la extensión .zip o .exe]
update
update[números elegidos al azar]
q[números elegidos al azar]
p[números elegidos al azar]
----------------------------------------------------------
cuando el gusano se ejecuta muestra el siguiente falso mensaje que simula ser de microsoft:
this product is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws and
treaties.
all microsoft products and related documents are
provided as is without warranty of any kind!
microsoft and/or its respective suppliers hereby disclaim all warranties
and conditions with regard to this information, including all warranties
and conditions of merchantability, whether express, implied or
statutory, fitness for a particular purpose, title and non-infringement.
microsoft does not warrant that the functions for the software or code
will meet your requirements, or that the operation of the software or
code will be uninterrupted or error-free, or that defects in the software
or code can be corrected. furthermore, microsoft does not warrant
or make any representations regarding the use or the results of the
use of the software, code or related documentation in terms of their
correctness, accuracy, reliability, or otherwise. no oral or written
information or advice given by microsoft or its authorized
representatives shall create a warranty or in any way increase the
scope of this warranty. should the software or code prove defective
after microsoft has delivered the same, you, and you alone,
shall assume the entire cost associated with all necessary servicing,
repair or correction. in no event shall microsoft and/or its respective
suppliers be liable for any special, indirect or consequential damages
or any damages whatsoever resulting from loss of use, data or profits,
whether in an action of contract, negligence or other tortious action,
arising out of or in connection with the use or performance of
software, documents, provision of or failure to provide services, or
information available from the services.
copyright notice.
copyright
2003 microsoft corporation, one microsoft way,
redmond, washington u.s.a. all rights reserved.
------------------------------------------------------------
seguidamente se copia a sí mismo en:
c:\windows\gibe.dll
c:\windows\update.exe
c:\windows\q[6 números al azar].exe
c:\windows\temp\update.exe
c:\windows\temp\q[6 números al azar].exe
también crea los siguientes componentes del gusano en:
c:\windows\dx3drndr.exe - se difunde a través de outlook y smtp
c:\windows\msbugadv.exe - busca direcciones de email y lo guarda en mailviews.db
c:\windows\mailviews.db - guarda todas las direcciones encontradas en el sistema
c:\windows\wmsysdx.bin - tiene todas las direcciones url a las que el gusano se conecta.
ademas el gusano crea la siguiente entrada en el registro para poder ejecutarse en cada inicio del sistema:
hkey_local_machine\software\microsoft\windows\currentversion\run
dxload=c:\windows\dx3drndr.exe
también crea la subclave messenger setup , con algunos valores dentro:
hkey_local_machine\software\microsoft\windows\currentversion\internet settings\messenger setup
coded...by begbie
server not found
email address not found
disp name <una cadena de caracteres elegida por el gusano>
lookname <nombre de un archivo que tiene una copia del gusano>
las cadenas de caracteres utilizados en disp name son tomados de la siguiente lista:
server
microsoft
internet
post
mail
web
smtp
engine
automat
robot
daemon
el gusano se copia a sí mismo en la carpeta compartida del kazaa y del irc con los siguientes nombres:
iepatch.exe
kazaa upload.exe
porn.exe
sex.exe
xbox emulator.exe
ps2 emulator.exe
xp update.exe
xxx video.exe
sick joke.exe
free xxx pictures.exe
my naked sister.exe
hallucinogenic screensaver.exe
cooking with cannabis.exe
magic mushrooms growing.exe
i-worm_give cleaner.exe
además el gusano crea una subcarpeta compartida mediante el registro del sistema dentro de la carpeta temp de windows, dicha subcarpeta tiene un nombre elegido al azar y contiene los mismos archivos del gusano mencionados anteriormente.
hkey_current_user\software\kazaa\localcontent
dir99 temp \[subcarpeta creada por el gusano]
disablesharing 0
finalmente intentará establecer conexión a uno de los siguientes servidores nntp(network news transfer protocol) donde buscará direcciones a donde enviarse.
12-254-107-9.client.attbi.com
141.4.4.45
142.155.129.4
194.133.33.10
202.108.36.140
202.184.155.10
207.230.236.9
207.41.8.25
210.221.55.119
64.14.86.166
acs2.byu.edu
asics.co.jp
baldrick.blic.net
baracka.rz.uni-augsburg.de
blob.linuxfr.org
bolo.nais.com
bolzen.logivision.net
bossix.informatik.uni-kiel.de
butthead.cybertrails.com
concern.wolters-kluwer.nl
correo.uvigo.es
cypress.alberni.net
demonews.mindspring.com
flis.man.torun.pl
ftp.tomica.ru
gail.ripco.com
glu08.dna.affrc.go.jp
graf.cs.uni-magdeburg.de
grieg.uol.com.br
gsc.gsi.com
gwdu112.gwdg.de
hermes1.rz.hs-bremen.de
htsrv.attack.ru
humbolt.nl.linux.org
chivato.uah.es
iis.tordata.se
inetgate.tp.ac.sg
info.rgv.net
inx3.inx.net
l1.newaygo.mi.us
lord.usenet-edu.net
lugnet.com
moon.ees.hokudai.ac.jp
msnews.microsoft.com
narzisse.hrz.tfh-wildau.de
natasha.ncag.edu
neptun.beotel.yu
news.abcs.com
news.aoc.gov
news.avcinc.com
news.avicenna.com
news.caiwireless2.com
news.caribsurf.com
news.cofc.edu
news.coli.uni-sb.de
news.cs.tu-berlin.de
news.datast.net
news.detnet.com
news.discom.net
news.dma.be
news.dsuper.net
news.fwi.com
news.fxalert.com
news.gamma.ru
news.gcip.net
news.gdbnet.ad.jp
news.htwm.de
news.ind.mh.se
news.inet.gr
news.informatik.uni-bremen.de
news.invarnet.inwar.com.pl
news.itcanada.com
news.jerseycape.net
news.konkuk.ac.kr
news.krs.ru
news.louisa.net
news.man.torun.pl
news.math.cinvestav.mx
news.matnet.com
news.mindvision.com.au
news.netcarrier.com
news.nchu.edu.tw
news.odata.se
news.phoenixsoftware.com
news.ramlink.net
news.savvis.net
news.sexzilla.com
news.srv.cquest.utoronto.ca
news.terra-link.com
news.tln.lib.mi.us
news.tohgoku.or.jp
news.ttnet.net.tr
news.tu-ilmenau.de
news.uni-hohenheim.de
news.unitel.co.kr
news01.uni-trier.de
news1.sinica.edu.tw
news4.odn.ne.jp
newscache0.freenet.de
newscache1.freenet.de
newscache2.freenet.de
newscache3.freenet.de
newscache4.freenet.de
newscache5.freenet.de
newsfeed.ctrl-c.liu.se
news-read2.maxwell.syr.edu
newssvr20-ext.news.prodigy.com
nserver.enc-1.com
oak.cise.ufl.edu
penelope-gw.oswego.edu
pluto.sm.dsi.unimi.it
pronews.centramedia.net
proxy.dvgd.ru
pumba.class.udg.mx
ran.age.ne.jp
rebell.ghks.de
rtcsrv5.realtech.de
s1.texinet.com
server.internetoutlet.net
server.pspu.ac.ru
sparky.midwest.net
sunu789.rz.ruhr-uni-bochum.de
tabloid.uwaterloo.ca
targetvision.com
test.easynews.com
tiger.aba.net.au
tomcat.admin.navo.hpc.mil
tomcat.med.uoeh-u.ac.jp
tthsc5.ttuhsc.edu
tyr.eiknes.se
vanaema.matti.ee
vulkan.euv-frankfurt-o.de
weber.techno-link.com
wisipc.weizmann.ac.il
wixer052.greyware.com
www.focalnet.com
yucatan.franconews.org


Comparte este manual:


Comparte este manual por email con un amigo/a:

Tu nombre
Tu email
El nombre de tu amigo
El email de tu amigo