New Virus/Spayware

  • Thread starter Thread starter Li Zhou
  • Start date Start date
L

Li Zhou

Greetings,

I caught a new virus/spyware today that was not identified by Microsoft
antispyware beta1. Here is the summary:

It creates a windows NT service: apee
Service display name: Logical Disk Manager Provider
Executable: msnmsgr.exe

It communicates at port 3306 ( same port as MySQL ).

The executable can be emailed for your examination.
 
Andre Da Costa 写é“:
Virus and Spyware are too different, if its a suspected spyware, open
Microsoft AntiSpyware and send a suspected spyware report from the Tools
Menu.
Click to expand...

O.K, i find it under the tools menu. But when i use it i get this error.
I have no proxy setting and i am connected to Internet while submitting
the report.
 
There is no present workaround for that error in the Beta 1 build. My
suggestion would be to restart in safe mode and run a thorough scan with
your AntiVirus and AntiSpyware utilities (updated definitions), also run the
following thirdparty AntiSpyware solutions:

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.intermute.com/products/cwshredder.html
Spy Sweeper - www.webroot.com
Ccleaner - http://www.ccleaner.com

Restart in safe mode instructions:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Li Zhou said:
Andre Da Costa ??:

O.K, i find it under the tools menu. But when i use it i get this error.
I have no proxy setting and i am connected to Internet while submitting
the report.
Click to expand...


--------------------------------------------------------------------------------
 
Tom Emmelot 写é“:
Hello Li Zhou,

thank you for sending the virus!!!!!!!!
My virus scanner just catch it and the info is here:
http://uk.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=WORM_SDBOT.BKC


msnmsgr.exe is normal MSN messenger program!

Regards >*< TOM >*<

Li Zhou schreef:
Click to expand...

Yes, this should be it. It is in trendmicro database since June 23rd,
but not detected by Microsoft Antispyware yet.

I am more concerned that my windows 2000 is patched with no password
identical to those listed below, how the virus get in?

Details:

Arrival, Installation, and Autostart Technique

This worm arrives through network shares. Upon execution, it drops a
copy of itself in the Windows system folder as MSNMSGR.EXE.

It creates the following registry entries so that it runs as a service
at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
Type = "dword:00000020"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
Start = "dword:00000002"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
ErrorControl = "dword:00000001"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
ImagePath = "hex(2):22,43,3a,5c,57,49,4e,44,4f,57,53,
5c,53,79,73,74,65,6d,33,32,5c,6d,73,6e,6d,73,67,72,2e,
65,78,65,22,20,2d,6e,65,74,73,76,63,73,00,"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
DisplayName = "Logical Disk Manager Provider"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apee
ObjectName = "LocalSystem"

Network Propagation and Exploits

This worm spreads through network shares. It generates IP addresses and
drops a copy of itself in the default shares of the target addresses. It
uses a list of user names and passwords to gain access to restricted shares.

It searches for the following shares:

* ADMIN$
* C$
* D$
* IPC$

It uses the following user names and passwords:

* 000000
* 00000000
* 11111
* 111111
* 11111111
* 12345
* 123456
* 1234567
* 12345678
* 1234qwer
* 123abc
* 123asd
* 123qwe
* 5201314
* 54321
* 654321
* 888888
* 88888888
* abc123
* admin
* asdfgh
* computer
* database
* default
* Internet
* manager
* oracle
* passwd
* password
* private
* public
* secret
* security
* server
* super
* sybase

It exploits the following vulnerabilities to propagate:

* RPCSS vulnerability
* Windows LSASS vulnerability

More information can be found in the following pages:

* Microsoft Security Bulletin MS03-039
* Microsoft Security Bulletin MS04-011

Backdoor Capabilities

This worm has backdoor capabilities. It connects to an Internet Relay
Chat (IRC) server and joins a channel. Once connected, it listens for
commands coming from a remote malicious user, and it executes these
commands on the affected system.

It executes the following commands:

* Connect to certain Web sites
* Download/Open files
* List processes
* Perform basic IRC commands
* Update the malware
 
Andre Da Costa 写é“:
I would recommend you not do that, you are distributing viruses that way.
Click to expand...

Naive users please don't download the virus image. it is only intended
for Microsoft Antispyware team to exam and add into spyware database.
 
Hello Li Zhou,

MS AntiSpyware is no Virusscanner, with a good one you never
catch this virus on the first place!!
But dit you use Housecal to get rid of it?
To sent virus with a mail is notdone of course that why i placed a lot
of !!!!!!!!!!!!!!!!
But done is done hope the won that opens them got good Virusscanners
that block them!

Regards >*< TOM >*<

Li Zhou schreef:
 
Back
Top