Hirdetés

  2. Fórumok
  3. Egyéb hardverek
  4. Help! Vírus?!
  5. (téma lezárva)

Aktív témák

  • #27 Polesz addikt Polesz #24
    #27
    Összes hozzászólása itt Válaszok az összes hozzászólására itt Válaszok erre a hozzászólásra
    Privát üzenet küldése

    Polesz

    addikt

    válasz Polesz #24 üzenetére

    Technical Description

    The executable has a size of around 70KB and it's packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.

    The worm also has updating capabilities. It will attempt to download updated versions when certain conditions are met.

    Deactivation routine

    The worm will stop spreading on 10th of September 2003. From this date onwards the worm will exit immediately when executed.

    Infection

    It will install itself into:
    %windir%winppr32.exe

    Proceeding then to add the following keys to the Windows Registry:

    [HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun] ''TrayX'' = %windir%winppr32.exe /sinc

    [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] ''TrayX'' = %windir%winppr32.exe /sinc

    So it's started when Windows does.

    Mail spreading

    The worm usually arrives in e-mails with the following characteristics:

    From:

    The 'From:' field is filled with an address found from the infected system.
    If no address is found, it will use ''admin@internet.com''

    To:

    The 'To:' field is filled with an address found from the infected system.

    Subject, any from the list:

    Re: Thank you!
    Thank you!
    Your details
    Re: Details
    Re: Re: My details
    Re: Approved
    Re: Your application
    Re: Wicked screensaver
    Re: That movie

    Body, it chooses one from the two following lines:
    See the attached file for details Please see the attached file for details.

    Attachment name

    The name is selected from the following list:

    your_document.pif
    document_all.pif
    thank_you.pif
    your_details.pif
    details.pif
    document_9446.pif
    application.pif
    wicked_scr.scr
    movie0045.pif

    Detection

    W32/Sobig.F@mm is detected by the latest version of F-Prot Antivirus using virus signature files dated 19 August 2003 or later.

Aktív témák