w32/mytob_mx@mm

Imagen biografía
Categoría: Gusanos de e-mail
Valora este manual:





 
Enviada por: Administrador

Manual de informática de w32/mytob_mx@mm

worm_mytob.mx, w32/mytob.he@mm, w32/mytob.pl@mm, net-worm.win32.mytob.do
tipo: gusano de email
tama?o: 53,760 bytes
origen: internet
destructivo: no en la calle (in the wild): si detección y eliminación: the hacker 5.9, registro de virus al 24/11/2005
w32/mytob.mx@mm, es un gusano que se difunde a trav?s de los recursos compartidos en la red. este gusano de envi? masivo de e-mail, utiliza su propio motor smtp para enviarse a si mismo a todas las direcciones de e-mail que encuentre en el computador atacado y en archivos con la siguiente extensi?n .adb, .asp, .dbx, .htm, .php, .sht, .tbb, .pl y .wab.
el gusano evita enviarse a direcciones que contengan los siguientes textos:
abuse accoun admin administrator anyone bsd bugs certific contact fcnz feste gold-certs google help icrosoft info linux listserv mail nobody noone not nothing ntivi page postmaster privacy rating register root samples secur service site soft somebody someone spm submit support the.bat unix webmaster www utgers.ed you your .gov .mil acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet caracter?sticas del mensaje de e-mail:
asunto: [variable, puede ser cualquiera de las siguientes frases:]
*detected* online user violation
*detected* online user violation
important notification
notice of account limitation
security measures
warning message: your services near to be closed.
you have successfully updated your password
you have successfully updated your password
your account is suspended
your account is suspended for security reasons
your new account password is approved
your password has been successfully updated
your password has been successfully updated
your password has been updated
your password has been updated
[caracteres aleatorios]
cuerpo:
dear user [ nombre de usuario],
it has come to our attention that your {random} user profile ( x ) records are out of date. for further details see the attached document.
thank you for using [dominio]!
the [dominio] support team
+++ attachment: no virus (clean)
+++ [d ominio ] antivirus - www.[ dominio ]
dear [ nombre de usuario] member,
we have temporarily suspended your email account [nombre de usuario].
this might be due to either of the following reasons:
1. a recent change in your personal information (i.e. change of address).
2. submiting invalid information during the initial sign up process.
3. an innability to accurately verify your selected option of subscription due to an internal error within our processors.
see the details to reactivate your [nombre de usuario] account.
sincerely,the [dominio] support team
+++ attachment: no virus (clean)
+++ [d ominio] antivirus - www.[d ominio]
dear [ dominio] member,
your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. if you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
if you choose to ignore our request, you leave us no choice but to cancel your membership.
virtually yours,
the [nombrealeatorio] support team
+++ attachment: no virus found
+++ [nombre aleatorio] antivirus - www.[nombre aleatorio]
dear user [nombre de usuario],
you have successfully updated the password of your [dominio] account.
if you did not authorize this change or if you need assistance with your account, please contact [dominio] customer service at: [e-mail spoofing]
thank you for using [dominio]!
the [dominio] support team
+++ attachment: no virus (clean)
+++ [dominio] antivirus - www.[dominio completo]
archivo adjunto: [variable, seguido de la extensi?n .bat, .cmd, .exe, .pif, .scr, o .zip]
account-details.zip account-info.zip account-password.zip account-report.zip approved-password.zip document.zip email-details.zip email-password.zip important-details.zip new-password.zip password.zip updated-password.zip [caracteres aleatorios].zip -----------------------
cuando el gusano se ejecuta se copia a si mismo dentro de:
system \dbg32.exe tambi?n copia un componente troyano dentro de la carpeta system de nombre syst.exe
nota:
system representa la carpeta system dentro de windows (ej. c:\windows\system, c:\winnt\system32)
adem?s adiciona algunas entradas en el registro para poder ejecutarse en cada inicio del sistema.
hkey_local_machine\software\microsoft\windows\currentversion\run
debugger= system \dbg32.exe
hkey_local_machine\software\microsoft\windows\currentversion\runservices
debugger= system \dbg32.exe
tambi?n deshabilita el servicio de acceso compartido en sistemas con windows 2000/xp:
hkey_local_machine\system\currentcontrolset\services\sharedaccess
start=4
finalmente intentar? conectarse con un determinado servidor irc [rax.ouichax.info], si logra establecer comunicaci?n queda a la espera de recibir ordenes remotas del atacante, las ordenes podr?an realizar lo siguiente:
descargar, ejecutar y eliminar archivos. reiniciar el computador atacado. enviar informaci?n del computador atacado.
1992/2005


Comparte este manual:


Comparte este manual por email con un amigo/a:

Tu nombre
Tu email
El nombre de tu amigo
El email de tu amigo