w32/mydoom.ad

Imagen biografía
Categoría: Gusanos de e-mail
Valora este manual:





 
Enviada por: Administrador

Manual de informática de w32/mydoom.ad

w32.mydoom.ad@mm
tipo: gusano de email
tama?o: 36,864 bytes
origen: internet
destructivo: si en la calle (in the wild): si detección y eliminación: the hacker 5.7, registro de virus al 05/10/2004
w32/mydoom.ad@mm , es un gusano que se propaga v?a e-mail utilizando su propio motor smtp y a trav?s de la red de intercambio de archivos p2p y el irc. el gusano busca direcciones de e-mail en la libreta de direcciones de windows y en archivos que tengan las siguientes extensiones, .wab, .pl, .adb, .tbb, .dbx, .asp, .php, sht, .htm y .txt.
el gusano evita enviarse a direcciones que contengan en su nombre uno de los siguientes textos:
be_loyal postmaster@ mozilla utgers.ed tanford.e pgp acketst isc.o isi.e ripe. arin. sendmail rfc-ed ietf iana usenet fido linux kernel ibm.com fsf. gnu mit.e bsd math unix berkeley foo. .mil gov. .gov winzip help@ gold-certs@ @micros @microsoft @messagelab sopho panda icrosof syma @avp account google certific listserv ntivi support microsoft admin page the.bat gold-certs feste submit not help service privacy somebody soft contact site rating bugs you your someone anyone nothing nobody noone webmaster postmaster samples info root spm spam www secur abuse caracter?sticas del mensaje de e-mail:
asunto: [puede ser alguno de los siguientes]
latest net security patch for your system latest microsoft critical upgrade latest internet critical upgrade latest network critical pack latest network critical patch latest network critical update latest net critical pack latest net critical upgrade latest net critical update latest net critical patch latest internet upgrade latest microsoft upgrade latest microsoft patch latest security pack latest microsoft security patch latest network security update latest internet update latest net update see the security patch install the security update download the important patch download this important pack check these important update see these security pack use the security patch use the security upgrade use the security update try the security pack try the security patch try the security upgrade checkout the internet patch check this internet pack checkout the security patch install these security upgrade install this pack install this patch install this security patch install that secrity pack try that security upgrade try that security patch try that security pack apply this upgrade apply this pack apply this patch check that internet patch check that internet pack use this security internet patch use these security internet patch download this important pack apply this important pack install this important pack watch this internet pack use this important pack try this important pack checkout this important pack check that important pack check this important pack current upgrade current update current patch current net security upgrade current net security pack current net security update current internet critical patch current network critical patch current net critical patch current internet security patch current network security patch current net security patch cuerpo: [alguno de los siguientes]
try this upgrade. here is the upgrade. this is the latest patch for your system. download the patch. run this patch. check. dear user, make your system clean and safe by patch your system with the latest updates. try this update now. try this patch now. check the attachment to apply the patch. update your system now. patch your system now. you can check the attachment for more information. this is the latest version of security update. just download and run attached file and click ok to msg boxes. check the attachment to patch your system for latest update. check the attachment. check the attachment for more information. checkout the attachment for more information.
seguido por el siguiente texto:
+++ attachment: no virus found
tambi?n seguido por uno de los siguientes textos:
+++ attachment: no virus found +++ messagelabs antivirus - www.messagelabs.com +++ bitdefender antivirus - www.bitdefender.com +++ mc-afee antivirus - www.mcafee.com +++ kaspersky antivirus - www.kaspersky.com +++ panda antivirus - www.pandasoftware.com +++ norman antivirus - www.norman.com +++ f-secure antivirus - www.f-secure.com +++ norton antivirus - www.symantec.com archivo adjunto: [puede ser uno de los siguientes con extensiones .cpl, .bat, .cmd, .exe, .scr, y .pif]
pack_55775 pack28376 pack_4273 pack714283 pack_52864 pack_64237 pack83428 pack9162 pack7243 pack5648 pack_9876 pack86436 pack563 pack_42 pack742 pack83278 pack7152 pack_672 pack_3775 pack_7254 update_513 update_52345 update_623 update_5143 update_7234 update_6343 update_133 update_612 update12 update_5284 update_7252 update_5243 update_52784 update_7363 update926284 update653804 update9649063 update075399 update66964 patch_63494 patch_4308 patch1850 patch648954 patch_t385 patch06469 patch39075 patch_6379 patch_5358 patch_3358 patch0857 patch164789 patch6438 patch_642 patch_42 patch_63 patch_6857 patch_7547 patch_2 patch_1 -------------------------------
cuando el gusano se ejecuta crea los siguientes mutex, que previenen que alguna variante del w32/netsky@mm
muxxxxtenyksdesignedasthefollowerofskynet-d droppedskynet _-ooaxx|-+s+-+k+-+y+-+n+-+e+-+t+-|xxkoo-_ [skynet.cz]systemsmutex admskynetjkls003 ____--->>>>u<<<<--____ _-oo]xx|-s-k-y-n-e-t-|xx[oo-_ luego visualiza falsos mensaje con el siguiente texto:
security patch
this will instal microsoft security patch,please wait...........
[ ok ]
---------------------------------
security patch
this patch has been successfully installed
[ ok ]
seguidamente se copia a s? mismo como
system \patch31345.exe windows \patch31345.exe temp \patch31345.exe nota:
- windows representa la carpeta de instalaci?n de windows (ej. c:\windows, c:\winnt )
- system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32 )
- temp representa la carpeta temporal (ej. c:\windows\temp , c:\winnt\temp)
adem?s modifica las siguientes entradas en el registro del sistema para registrar el servicio:
hkey_current_user\software\microsoft\windows\currentversion\run
av client= system \patch31345.exe
hkey_local_machine\software\microsoft\windows\currentversion\run
av client= system \patch31345.exe
hkey_current_user\software\microsoft\windows\currentversion\run
av industry= windows \patch31345.exe
hkey_local_machine\software\microsoft\windows\currentversion\run
av industry= windows \patch31345.exe
tambi?n crea las siguientes entradas:
hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\version
hkey_local_machine\software\microsoft\windows\currentversion\explorer\comdlg32\version
eliminar? los siguientes valores que encuentre en
hkey_local_machine\software\microsoft\windows\currentversion\run
winsock2 driver microsoft ie execute shell tmproxy nav agent mcafeevirusscanservice pccguide.exe pcciomon.exe pcclient.exe mcvsrte mcregwiz vsochecktask virusscan online mcupdateexe scriptblocking ccapp nprotect f-secure manager f-secure tnb zone labs client ex tiny av sysmonxp special firewall service skynetsrevenge pandaavengine norton antivirus av netdy my av msinfo kasperskyaveng jammer2nd icqnet icq net htprotect firewallsvr easyav antivirus 9xhtprotect luego se copia a si mismo dentro de la carpeta compartida de aplicaciones p2p como:
c:\my shared folder\icq 8.0.exe c:\my shared folder\ps2 emulator.exe c:\my shared folder\hello.exe c:\my shared folder\hello.pif c:\my shared folder\opera 7.7.exe c:\my shared folder\in da club.exe c:\my shared folder\winzip.exe c:\my shared folder\winrar.exe c:\my shared folder\winamp.exe c:\my shared folder\1.exe c:\my shared folder\hot sex photos.exe c:\my shared folder\hot xxx photos.exe c:\my shared folder\xxx hardcore.exe c:\my shared folder\acdsee.exe c:\my shared folder\matrix.exe c:\my shared folder\sexxx.exe c:\my shared folder\netsky removal tool.exe c:\my shared folder\anal,sex.exe c:\my shared folder\norton anti virus crack.exe c:\my shared folder\mcafee crack.exe c:\my shared folder\macfee anti virus.exe c:\my shared folder\beagle removal tool.exe c:\my shared folder\mydoom removal tool.exe c:\my shared folder\icq.exe c:\my shared folder\kaspersky antivirus 5.0.exe c:\my shared folder\norton anti virus 2004.exe c:\my shared folder\kav 5.0.exe c:\my shared folder\sex.exe c:\my shared folder\nero.exe c:\my shared folder\microsoft office 2003 crack.exe c:\program files\limewire\shared\icq 8.0.exe c:\program files\limewire\shared\ps2 emulator.exe c:\program files\limewire\shared\hello.exe c:\program files\limewire\shared\hello.pif c:\program files\limewire\shared\opera 7.7.exe c:\program files\limewire\shared\in da club.exe c:\program files\limewire\shared\winzip.exe c:\program files\limewire\shared\winrar.exe c:\program files\limewire\shared\winamp.exe c:\program files\limewire\shared\1.exe c:\program files\limewire\shared\hot sex photos.exe c:\program files\limewire\shared\hot xxx photos.exe c:\program files\limewire\shared\xxx hardcore.exe c:\program files\limewire\shared\acdsee.exe c:\program files\limewire\shared\matrix.exe c:\program files\limewire\shared\sexxx.exe c:\program files\limewire\shared\netsky removal tool.exe c:\program files\limewire\shared\anal,sex.exe c:\program files\limewire\shared\norton anti virus crack.exe c:\program files\limewire\shared\mcafee crack.exe c:\program files\limewire\shared\macfee anti virus.exe c:\program files\limewire\shared\beagle removal tool.exe c:\program files\limewire\shared\mydoom removal tool.exe c:\program files\limewire\shared\icq.exe c:\program files\limewire\shared\kaspersky antivirus 5.0.exe c:\program files\limewire\shared\norton anti virus 2004.exe c:\program files\limewire\shared\kav 5.0.exe c:\program files\limewire\shared\sex.exe c:\program files\limewire\shared\nero.exe c:\program files\limewire\shared\microsoft office 2003 crack.exe c:\program files\edonkey2000\incoming\icq 8.0.exe c:\program files\edonkey2000\incoming\ps2 emulator.exe c:\program files\edonkey2000\incoming\hello.exe c:\program files\edonkey2000\incoming\hello.pif c:\program files\edonkey2000\incoming\opera 7.7.exe c:\program files\edonkey2000\incoming\in da club.exe c:\program files\edonkey2000\incoming\winzip.exe c:\program files\edonkey2000\incoming\winrar.exe c:\program files\edonkey2000\incoming\winamp.exe c:\program files\edonkey2000\incoming\1.exe c:\program files\edonkey2000\incoming\hot sex photos.exe c:\program files\edonkey2000\incoming\hot xxx photos.exe c:\program files\edonkey2000\incoming\xxx hardcore.exe c:\program files\edonkey2000\incoming\acdsee.exe c:\program files\edonkey2000\incoming\matrix.exe c:\program files\edonkey2000\incoming\sexxx.exe c:\program files\edonkey2000\incoming\netsky removal tool.exe c:\program files\edonkey2000\incoming\anal,sex.exe c:\program files\edonkey2000\incoming\norton anti virus crack.exe c:\program files\edonkey2000\incoming\mcafee crack.exe c:\program files\edonkey2000\incoming\macfee anti virus.exe c:\program files\edonkey2000\incoming\beagle removal tool.exe c:\program files\edonkey2000\incoming\mydoom removal tool.exe c:\program files\edonkey2000\incoming\icq.exe c:\program files\edonkey2000\incoming\kaspersky antivirus 5.0.exe c:\program files\edonkey2000\incoming\norton anti virus 2004.exe c:\program files\edonkey2000\incoming\kav 5.0.exe c:\program files\edonkey2000\incoming\sex.exe c:\program files\edonkey2000\incoming\nero.exe c:\program files\edonkey2000\incoming\microsoft office 2003 crack.exe c:\program files\gnucleus\downloads\icq 8.0.exe c:\program files\gnucleus\downloads\ps2 emulator.exe c:\program files\gnucleus\downloads\hello.exe c:\program files\gnucleus\downloads\hello.pif c:\program files\gnucleus\downloads\opera 7.7.exe c:\program files\gnucleus\downloads\in da club.exe c:\program files\gnucleus\downloads\winzip.exe c:\program files\gnucleus\downloads\winrar.exe c:\program files\gnucleus\downloads\winamp.exe c:\program files\gnucleus\downloads\1.exe c:\program files\gnucleus\downloads\hot sex photos.exe c:\program files\gnucleus\downloads\hot xxx photos.exe c:\program files\gnucleus\downloads\xxx hardcore.exe c:\program files\gnucleus\downloads\acdsee.exe c:\program files\gnucleus\downloads\matrix.exe c:\program files\gnucleus\downloads\sexxx.exe c:\program files\gnucleus\downloads\netsky removal tool.exe c:\program files\gnucleus\downloads\anal,sex.exe c:\program files\gnucleus\downloads\norton anti virus crack.exe c:\program files\gnucleus\downloads\mcafee crack.exe c:\program files\gnucleus\downloads\macfee anti virus.exe c:\program files\gnucleus\downloads\beagle removal tool.exe c:\program files\gnucleus\downloads\mydoom removal tool.exe c:\program files\gnucleus\downloads\icq.exe c:\program files\gnucleus\downloads\kaspersky antivirus 5.0.exe c:\program files\gnucleus\downloads\norton anti virus 2004.exe c:\program files\gnucleus\downloads\kav 5.0.exe c:\program files\gnucleus\downloads\sex.exe c:\program files\gnucleus\downloads\nero.exe c:\program files\gnucleus\downloads\microsoft office 2003 crack.exe c:\program files\icq\shared files\icq 8.0.exe c:\program files\icq\shared files\ps2 emulator.exe c:\program files\icq\shared files\hello.exe c:\program files\icq\shared files\hello.pif c:\program files\icq\shared files\opera 7.7.exe c:\program files\icq\shared files\in da club.exe c:\program files\icq\shared files\winzip.exe c:\program files\icq\shared files\winrar.exe c:\program files\icq\shared files\winamp.exe c:\program files\icq\shared files\1.exe c:\program files\icq\shared files\hot sex photos.exe c:\program files\icq\shared files\hot xxx photos.exe c:\program files\icq\shared files\xxx hardcore.exe c:\program files\icq\shared files\acdsee.exe c:\program files\icq\shared files\matrix.exe c:\program files\icq\shared files\sexxx.exe c:\program files\icq\shared files\netsky removal tool.exe c:\program files\icq\shared files\anal,sex.exe c:\program files\icq\shared files\norton anti virus crack.exe c:\program files\icq\shared files\mcafee crack.exe c:\program files\icq\shared files\macfee anti virus.exe c:\program files\icq\shared files\beagle removal tool.exe c:\program files\icq\shared files\mydoom removal tool.exe c:\program files\icq\shared files\icq.exe c:\program files\icq\shared files\kaspersky antivirus 5.0.exe c:\program files\icq\shared files\norton anti virus 2004.exe c:\program files\icq\shared files\kav 5.0.exe c:\program files\icq\shared files\sex.exe c:\program files\icq\shared files\nero.exe c:\program files\icq\shared files\microsoft office 2003 crack.exe c:\program files\kazaa lite\my shared folder\icq 8.0.exe c:\program files\kazaa lite\my shared folder\ps2 emulator.exe c:\program files\kazaa lite\my shared folder\hello.exe c:\program files\kazaa lite\my shared folder\hello.pif c:\program files\kazaa lite\my shared folder\opera 7.7.exe c:\program files\kazaa lite\my shared folder\in da club.exe c:\program files\kazaa lite\my shared folder\winzip.exe c:\program files\kazaa lite\my shared folder\winrar.exe c:\program files\kazaa lite\my shared folder\winamp.exe c:\program files\kazaa lite\my shared folder\1.exe c:\program files\kazaa lite\my shared folder\hot sex photos.exe c:\program files\kazaa lite\my shared folder\hot xxx photos.exe c:\program files\kazaa lite\my shared folder\xxx hardcore.exe c:\program files\kazaa lite\my shared folder\acdsee.exe c:\program files\kazaa lite\my shared folder\matrix.exe c:\program files\kazaa lite\my shared folder\sexxx.exe c:\program files\kazaa lite\my shared folder\netsky removal tool.exe c:\program files\kazaa lite\my shared folder\anal,sex.exe c:\program files\kazaa lite\my shared folder\norton anti virus crack.exe c:\program files\kazaa lite\my shared folder\mcafee crack.exe c:\program files\kazaa lite\my shared folder\macfee anti virus.exe c:\program files\kazaa lite\my shared folder\beagle removal tool.exe c:\program files\kazaa lite\my shared folder\mydoom removal tool.exe c:\program files\kazaa lite\my shared folder\icq.exe c:\program files\kazaa lite\my shared folder\kaspersky antivirus 5.0.exe c:\program files\kazaa lite\my shared folder\norton anti virus 2004.exe c:\program files\kazaa lite\my shared folder\kav 5.0.exe c:\program files\kazaa lite\my shared folder\sex.exe c:\program files\kazaa lite\my shared folder\nero.exe c:\program files\kazaa lite\my shared folder\microsoft office 2003 crack.exe c:\program files\kazaa\my shared folder\icq 8.0.exe c:\program files\kazaa\my shared folder\ps2 emulator.exe c:\program files\kazaa\my shared folder\hello.exe c:\program files\kazaa\my shared folder\hello.pif c:\program files\kazaa\my shared folder\opera 7.7.exe c:\program files\kazaa\my shared folder\in da club.exe c:\program files\kazaa\my shared folder\winzip.exe c:\program files\kazaa\my shared folder\winrar.exe c:\program files\kazaa\my shared folder\winamp.exe c:\program files\kazaa\my shared folder\1.exe c:\program files\kazaa\my shared folder\hot sex photos.exe c:\program files\kazaa\my shared folder\hot xxx photos.exe c:\program files\kazaa\my shared folder\xxx hardcore.exe c:\program files\kazaa\my shared folder\acdsee.exe c:\program files\kazaa\my shared folder\matrix.exe c:\program files\kazaa\my shared folder\sexxx.exe c:\program files\kazaa\my shared folder\netsky removal tool.exe c:\program files\kazaa\my shared folder\anal,sex.exe c:\program files\kazaa\my shared folder\norton anti virus crack.exe c:\program files\kazaa\my shared folder\mcafee crack.exe c:\program files\kazaa\my shared folder\macfee anti virus.exe c:\program files\kazaa\my shared folder\beagle removal tool.exe c:\program files\kazaa\my shared folder\mydoom removal tool.exe c:\program files\kazaa\my shared folder\icq.exe c:\program files\kazaa\my shared folder\kaspersky antivirus 5.0.exe c:\program files\kazaa\my shared folder\norton anti virus 2004.exe c:\program files\kazaa\my shared folder\kav 5.0.exe c:\program files\kazaa\my shared folder\sex.exe c:\program files\kazaa\my shared folder\nero.exe c:\program files\kazaa\my shared folder\microsoft office 2003 crack.exe c:\program files\gnucleus\downloads\incoming\icq 8.0.exe c:\program files\gnucleus\downloads\incoming\ps2 emulator.exe c:\program files\gnucleus\downloads\incoming\hello.exe c:\program files\gnucleus\downloads\incoming\hello.pif c:\program files\gnucleus\downloads\incoming\opera 7.7.exe c:\program files\gnucleus\downloads\incoming\in da club.exe c:\program files\gnucleus\downloads\incoming\winzip.exe c:\program files\gnucleus\downloads\incoming\winrar.exe c:\program files\gnucleus\downloads\incoming\winamp.exe c:\program files\gnucleus\downloads\incoming\1.exe c:\program files\gnucleus\downloads\incoming\hot sex photos.exe c:\program files\gnucleus\downloads\incoming\hot xxx photos.exe c:\program files\gnucleus\downloads\incoming\xxx hardcore.exe c:\program files\gnucleus\downloads\incoming\acdsee.exe c:\program files\gnucleus\downloads\incoming\matrix.exe c:\program files\gnucleus\downloads\incoming\sexxx.exe c:\program files\gnucleus\downloads\incoming\netsky removal tool.exe c:\program files\gnucleus\downloads\incoming\anal,sex.exe c:\program files\gnucleus\downloads\incoming\norton anti virus crack.exe c:\program files\gnucleus\downloads\incoming\mcafee crack.exe c:\program files\gnucleus\downloads\incoming\macfee anti virus.exe c:\program files\gnucleus\downloads\incoming\beagle removal tool.exe c:\program files\gnucleus\downloads\incoming\mydoom removal tool.exe c:\program files\gnucleus\downloads\incoming\icq.exe c:\program files\gnucleus\downloads\incoming\kaspersky antivirus 5.0.exe c:\program files\gnucleus\downloads\incoming\norton anti virus 2004.exe c:\program files\gnucleus\downloads\incoming\kav 5.0.exe c:\program files\gnucleus\downloads\incoming\sex.exe c:\program files\gnucleus\downloads\incoming\nero.exe intenta copiarse asi mismo en las siguientes ubicaciones:
c:\winnt\profiles\default user\start menu\programs\startup\patch31345.exe c:\winnt\profiles\administrator\start menu\programs\startup\patch31345.exe c:\winnt\profiles\all users\start menu\programs\startup\patch31345.exe c:\documents and settings\default user\start menu\programs\startup\patch31345.exe c:\documents and settings\administrator\start menu\programs\startup\patch31345.exe c:\documents and settings\all users\start menu\programs\startup\patch31345.exe c:\windows\start menu\programs\startup\patch31345.exe c:\winme\start menu\programs\startup\patch31345.exe c:\win95\start menu\programs\startup\patch31345.exe c:\win98\start menu\programs\startup\patch31345.exe finalmente el gusano sobrescribe el archivo hosts que se encuentra en system \drivers\etc\ , para redireccionar direcciones urls al localhost (127.0.0.1)
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.avp.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.symantec.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.networkassociates.com
127.0.0.1 us.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 avp.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.pandasoftware.de


Comparte este manual:


Comparte este manual por email con un amigo/a:

Tu nombre
Tu email
El nombre de tu amigo
El email de tu amigo