- Type:
- Worm
- Systems Affected:
- Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Wergimog is a worm that attempts to spread through removable drives. It also opens a back door and may steal information from the compromised computer.
When the worm is executed, it copies itself as one of the following files:
Next, the worm may create the following registry entries, so that it executes whenever Windows starts:
It may also create the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\pPkzmsiesk\"ISkxnksnam" = "[RANDOM VALUE]"
Next, it creates the following mutex so that only one instance of the threat executes on the computer:
kkk
It starts the Explorer.exe process and injects its code into it.
It then attempts to open a back door by connecting to the following remote location on TCP port 2040 or 80:
v2z.imageshak.biz
It may then perform the following actions:
It attempts to steal host, user, port, and password information stored in the following files:
It also attempts to steal the following information related to Mozilla Firefox:
The worm spreads by copying itself to removable drives as the following file:
%DriveLetter%\RECYCLER\autorun.exe
It may also create the following file in order to execute whenever the drive is used on another computer:
%DriveLetter%\autorun.inf
- %System%\service[RANDOM NUMBER].exe
- %Windir%\service[RANDOM NUMBER].exe
Next, the worm may create the following registry entries, so that it executes whenever Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Adobe Reader Speed Launcher" = "%System%\service[RANDOM NUMBER].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Adobe Reader Speed Launcher" = "%Windir%\service[RANDOM NUMBER].exe"
It may also create the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\pPkzmsiesk\"ISkxnksnam" = "[RANDOM VALUE]"
Next, it creates the following mutex so that only one instance of the threat executes on the computer:
kkk
It starts the Explorer.exe process and injects its code into it.
It then attempts to open a back door by connecting to the following remote location on TCP port 2040 or 80:
v2z.imageshak.biz
It may then perform the following actions:
- Download and execute a remote file
- Perform UDP and SYN flood attacks
- List the directory
- Send the user name of the compromised computer
- Delete itself
- Capture packets
- Open a requested URL
It attempts to steal host, user, port, and password information stored in the following files:
- %ProgramFiles%\FileZilla\sitemanager.xml
- %ProgramFiles%\FileZilla\recentservers.xml
It also attempts to steal the following information related to Mozilla Firefox:
- Current version
- Main page
- Installation directory
- All information in the Firefox SQLite database
The worm spreads by copying itself to removable drives as the following file:
%DriveLetter%\RECYCLER\autorun.exe
It may also create the following file in order to execute whenever the drive is used on another computer:
%DriveLetter%\autorun.inf
Žádné komentáře:
Okomentovat