Spam Levels Likely To Rise As Srizbi Botnet Comes Back To Life

When McColo, an ISP known for being a haven for spammers and scammers was knocked offline two weeks ago, the notorious Srizbi Botnet went down with it. This resulted in global spam volume plummeting by as much as 75%. Sadly, that’s about to change. FireEye, a threat research firm, has discovered that Srizbi is rising from the dead.

Researchers at the firm have discovered that Srizbi has begun updating all of its bots via its new command servers located in Estonia. New domains linked to the botnet have been found as well, with registrations located in Russia.

Here’s an excerpt from FireEye’s report:

As has been publicized, Srizbi had a mechanism to dynamically generate the C&C to which it would communicate based on a seed (magic number) in the binary, and a variation of the Julian date of the infected host. Our next post will go into the technical details of this algorithm. This dynamic DNS generation mechanism was the main reason why they were able to regain control, even though the primary IP, hosted at McColo, was and is still not routable. As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today.


As of now, the spam being sent by the revived Botnet is only targeting Russian addresses, but expect Srizbi to begin reaching out to the rest of the world in short order.

Source: http://www.allspammedup.com/2008/11/spam-levels-likely-to-rise-as-srizbi-botnet-comes-back-to-life/

New Malicious Spam Attack Claims Obama Resigned

Barack Obama and his inauguration are by far the hottest topics in the country right now, so it’s not surprising that a new malicious spam attack is exploiting him. A new wave of spam is underway with headlines proclaiming Obama has changed his mind and turned down the presidency. The messages contain links to a sight that looks very much like the official Obama/Biden campaign site but which is actually a fake that delivers malware. Visitors to the malicious site will find a mix of fake and real news stories, one of which proclaims that Obama released a statement saying he no longer wants to be president. Clicking on the “more” link triggers a malicious download, a Trojan Horse that will turn the recipient’s computer into a zombie and add it to the new Waledec botnet. Waledec sprang up just before Christmas and spread via fake greeting cards. Right now it’s the 9th largest botnet with an estimated 10,000 computers under its control.

This new attack will likely cause that number to sharply rise as users, alarmed by the headline, will click through without thinking. Experts say Waledec is most likely controlled by the same person responsible for the massive Storm botnet which wreaked havoc last year.

Source: http://www.allspammedup.com/2009/01/new-malicious-spam-attack-claims-obama-resigned/

New Valentine’s Day Spam Attack Underway

Not surprisingly, spammers have begun a new attack exploiting the upcoming Valentine’s Day holiday. New spam messages with subject lines such as “Falling in love with you”, “I belong to you”, and “I love being in love with you” have begun hitting inboxes. Security experts say the attack started on January 22nd. The body of the messages contain romantic sounding one liners like “Me and You”, “In Your Arms”, and “With all my love”, and a link. The link directs the recipent to a web page displaying 12 heart images and inviting them to click on one. Doing so downloads a malicious program called “love.exe” or “you.exe” which turns the infected computer into a zombie and adds it to the Waledec botnet, which is believed to be run by the same folks responsible for the Storm botnet. So far the botnet is sending an average of 11,000 messages per hour.

This is the same group responsible for the Obama spam sent earlier this month. That spam attempted to lure people to a fake Obama/Biden site with a link to a fake news story claiming Obama had abruptly declined to accept the presidency of the United States. This new botnet is growing so quickly it’s being called the new Storm botnet. It appears that the group behind it isn’t in a hurry to learn any new tricks because the old ones are still working just fine.

Source: http://www.allspammedup.com/2009/01/new-valentines-day-spam-attack-underway/

Virus Profile: W32/Checkout!91d0b88a

Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 5096
Virus Characteristics

-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/document.asp?doc_id=131362

This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.

This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).

* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?

Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:

* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.

* Security Center
* winvnc4

Adds the following values to the registry:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"

The worm connects to an IRC channel on {blocked}.basecase.info.


Indications of Infection

* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.


Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142934

Virus Profile: Spy-Agent.bw

Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
SubType: Win32
DAT Required: 4985
Virus Characteristics

-- Update December 2, 2008 --

A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).

Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.

Detection for these variants is included in todays 5452 DAT package.

An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx



-- Update August 19, 2008 --

Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.

Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.

Detection for this new variant will be included in todays 5364 DATs.

-- Update August 18, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.

Upon execution, a new variant creates the following file:

* C:\​WINDOWS\​system32\​ntos.exe (Spy-Agent,bw)

It changes the following registry key:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe

-- Update August 04, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.

Upon execution, a new variant creates the following hidden files and hidden folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* winlogon.exe

It can connect to the following website to communicate stolen data, log actions and receive instructions:

* ahleinaks.ru

-- Update July 21, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.

It can connect to the following website to communicate stolen data, log actions and receive instructions:

* blatundalqik.ru

-- Update May 13, 2008 --

Upon execution, a new variant creates the following hidden files and hidden folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* winlogon.exe

It can connect to the following site to communicate stolen data, log actions and receive instructions:

* razvlekalovo.net

-- Update August 20, 2007 --


The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--

A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

Upon execution, it creates the following files and folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx =
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* svchost.exe
* winlogon.exe

It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:

* recruiter.monster.com
* hiring.monster.com

Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

* http://195.189.{blocked}/mnstr/grabv2.php?getid=1
* http://195.189.{blocked}/spmv3.php?sendlog=
* http://195.189.{blocked}/mnstr/grabv2.php
* http://195.189.{blocked}/pmv3.php?sentmailz=

Sends spam e-mails via the following SMTP server:

* smtp.bizmail.yahoo.com


Indications of Infection

* Presence of file(s) and registry key(s) as previously mentioned.
* Unexpected network connections to the mentioned site(s).


Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal Instructions

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations
Aliases
Infostealer.Monstres (Symantec)

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141745

Virus Profile: Downloader-UA.h

Risk Assessment
- Home Users: Medium
- Corporate Users: Low-Profiled
Date Discovered: 5/2/2008
Date Added: 5/2/2008
Origin: N/A
Length: various
Type: Trojan
SubType: Downloader
DAT Required: 5287
Virus Characteristics

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.

Indications of Infection

* filenames listed in the above
* EULA displayed in the above

Method of Infection

Downloader-UA.h trojans are propagated through P2P networks

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=144503

Win32/Malas.C

Type : Worm

Category : Win32

Also known as: W32/Bindo.worm (McAfee), INF/Malas.C, Worm:Win32/Malas.gen (MS OneCare), P2P-Worm.Win32.Malas.h (Kaspersky), WORM_MALAS.I (Trend), W32/Malas-B (Sophos), W32.SillyFDC (Symantec)


Win32/Malas.C

CA Antivirus 2007
Removal Instructions
Signature: 31.4.5784
Removal Instructions:

Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.

Win32/Dowritn.BG

Win32/Dowritn.BG
CA Antivirus 2007

Removal Instructions
Signature: 31.6.6276

Removal Instructions:

Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.

Net-Worm.Win32.Kido.bt

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.
Installation

The worm copies its executable file to the Windows system directory as follows:

%System%\.dll is a string of random symbols

The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following registry key value::
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\.dll"
Network spreading

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service. (More details about this vulnerability can be found on the Microsoft site: www.microsoft.com).

The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:
99999999
9999999
999999
99999
9999
999
99
9
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
unknown
anything
letitbe
letmein
domain
access
money
campus
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123
Spreading via removable storage media

The worm copies its executable file as follows:

:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\.vmx rnd is a string of random lower case symbols; X is the disk.

The worm also places the following file in the root of each disk:
:\autorun.inf

This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. This code is responsible for the worm’s malicious payload:

* Disables system restore
* Blocks addresses which contain the following strings:
indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

The worm also downloads a file from the link shown below:
http://trafficconverter.biz/*****/antispyware/loadadv.exe

This file is saved to the Windows system directory and then launched for execution. The link was not live at the time of writing.

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number. URL is a link formed by a special algorithm which uses the current date. The worm gets the current date from one of the sites listed below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Files downloaded by the worm are saved to the Windows system directory with their original name.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, you can either use a special removal tool, which can be found here support.kaspersky.com or follow the instructions below:

1. Delete the system registry key shown below::
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete "%System%\.dll" from the system registry key parameter shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the malicious program penetrated the computer).
5. Delete the file shown below:

%System%\.dll is a string of random symbols
6. Delete the following files from all removable storage media:

:\autorun.inf :\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\.vmx rnd is a string of random lower case symbols; X is the disk.
7. Download and install operating system updates from the following link:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx


Source: www.viruslist.com

Net-Worm.Win32.Kido.dv

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are 165840 B. It is packed using UPX.
Installation

The worm copies its executable file as follows:
%System%\.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\.tmp
%Temp%\.tmp

is a string of random symbols

The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"
Network spreading

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. (More details about this vulnerability can be found on the Microsoft site: www.microsoft.com).

The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:
99999999
9999999
999999
99999
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1 9999
999
99
9
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
unknown
anything
letitbe
letmein
domain
access
money
campus
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123
Spreading via removable storage media

The worm copies its executable file to all removable storage media as follows:
:\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\.vmx

rnd is a random string of lower case symbols; d is a random number; x is the disk

The worm also places the following file in the root of each disk:
:\autorun.inf

This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. This code is responsible for the worm’s malicious payload

* Disables the following services:
wuauserv
BITS
* Blocks addresses which contain the following strings:
indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number. URL is a link formed by a special algorithm which uses the current date. The worm gets the current date from one of the sites listed below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Downloaded files are saved to the Windows system directory with their original name.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, you can either use a special removal tool, which can be found here support.kaspersky.com or follow the instructions below:

1. Delete the system registry key shown below:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete "%System%\.dll" from the system registry key parameter shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the malicious program penetrated the computer).
5. Delete copies of the worm:
%System%\.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\.tmp
%Temp%\.tmp
is a random string of symbols
6. Delete the files shown below from all removable storage media:
:\autorun.inf :\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\.vmx
.

rnd is a random string of lower case symbols; d is a random number; x is the disk


Source: http://www.viruslist.com

Net-Worm.Win32.Kido.fx

This malicious program exploits the MS08-067 vulnerability to spread via network resources and removable storage media.

This modification of the worm is a Windows PE DLL file. The file is 158110 bytes in size. It is packed using UPX.
Installation

The worm copies its executable file with random names to the following directories:

%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp

is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The name of the service will be created from combining words from the list below:

Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows

The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"

The worm hides its files in Explorer by modifying the registry key value shown below:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"

The worm flags its presence in the system by creating the unique identifier shown below:
Global\%rnd%-%rnd%
Propagation

In order to spread quickly via networks, the worm uses tcpip.sys functions to increase the number of potential network connections.

The worm connects to the servers shown below in order to determine the external IP address of the victim machine:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org

The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

Copies of the worm have the extensions listed below:

.bmp
.gif
.jpeg
.png

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. More details about the vulnerability can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx The worm sends a specially crafted RPC request to TCP ports 139 (NetBIOS) and 445 (Direct hosted SMB) remote machines on remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll, which launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

The worm then hooks the NetpwPathCanonicalize API call (netapi.dll) to prevent buffer overruns caused by the absence of a check on the size of outgoing strings. By doing this, the worm makes repeat exploitation of the vulnerability impossible.

In order to speed up propagation, the worm modifies the following registry value:
[HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpNumConnections" = "dword:0x00FFFFFE"

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. It searches the network for an appropriate machine and gets a list of users. It then attempts to brute force each user account using the passwords shown below:z

99999999
9999999
999999
99999
9999
999
99
9
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2



11111111
1111111
111111
11111
1111
111
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor



unknown
anything
letitbe
letmein
domain
access
money
campus
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1



password123
password12
password1
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root
adminadmin
mypassword
mypass
pass

Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123

In order to gain administrator access, the worm copies itself to the following shared folders:
\\*\ADMIN$\System32\.
\\\IPC$\.

The worm can then be launched remotely or scheduled for remote launch using the following commands:
rundll32.exe ,
Spreading via removable storage media

The worm copies its executable file to all removable media under the following name:
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-
%d%>-%d%>\.vmx, rnd is a string of random lower case letters; d is a random number; X
is the disk

In addition to its executable file, the worm also places the file shown below in the root of every disk:
:\autorun.inf

This file will launch the worm's executable file each time Explorer is used to open the infected disk.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. (The worm may also write its code to the “explorer.exe” and “services.exe” processes.) This code delivers the worm's main malicious payload and:

1. disables the following services:

Windows Automatic Update Service (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Security Center Service (wscsvc)
Windows Defender Service (WinDefend, WinDefender)
Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)

2. blocks access to addresses which contain any of the strings listed below:

nai
ca
avp
avg
vet
bit9
sans
cert
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

In Windows Vista, the worm will disable autoconfiguration of the TCP/IP stack in order to speed up propagation via network channels by using a fixed window size for TCP packets:
netsh interface tcp set global autotuning=disabled

The worm also hooks the following API calls (dnsrslvr.dll) in order to block access to the list of user domains:

DNS_Query_A
DNS_Query_UTF8
DNS_Query_W
Query_Main
sendto

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
http://www.myspace.com
http://www.msn.com
http://www.ebay.com
http://www.cnn.com
http://www.aol.com

Downloaded files are saved to the Windows system directory under their original names.
Removal instructions

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
More details about the vulnerability can be found here:
http://www.kaspersky.ru/support/wks6mp3/error?qid=208636215

Or follow the instructions below:

1. Delete the following system registrykey:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
3. Revert the following registry key values:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"

to
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000001"
"SuperHidden" = "dword: 0x00000001"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"

to
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000001"
4. Reboot the computer.
5. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
6. Delete copies of the worm:

%System%\dir.dll
%Program Files%\Internet Explorer\ %Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp

is a random string of symbols.
7. Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-
%d%>\.vmx,
8. Download and install updates for the operating system:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Source: http://www.viruslist.com
Subscribe to: Posts (Atom)