W32/Elitper.F@MM

Descripción

W32/Elitper.F@MM, es un gusano que intenta difundirse utilizando MS Outlook y la red de intercambio de archivos P2P (Kazaa, Edonkey, Morpheus, etc), el gusano finaliza procesos, elimina archivos y cambia las configuraciones de seguridad en el computador atacado.

Características del Mensaje de Email:

Asunto: Torrie Wilson And Stacy Keibler Nude Pictures

Cuerpo: If you're Under 18 Please Don't Download It

Archivo Adjunto: Torrie & Stacy Nude ScreenSaver.exe

-----------------------------

Cuando el gusano se ejecuta se copia a sí mismo en:

• %windows%\TASKMGR.EXE
• %Program files%\Internet Explorer\Iexplore .exe
• %Program files%\Internet Explorer\Norton Internet Security.exe
• %Program files%\Windows Media Player\svchost.exe
• %ProgramFiles%\SP2 UPDATE.exe
• %Userprofile%\Start Menu\Programs\Startup\XPStartup.exe
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup\XPStartUp.exe
• C:\Torrie&Stacy.exe
• C:\ProgramFiles\Torrie&Stacy.exe

Nota:

- %windows% representa la carpeta de instalación de Windows (Ej. C:\WINDOWS, C:\WINNT)

- %Program Files% es la carpeta por defecto donde se encuentran instaladas las aplicaciones.

También modifica las siguientes entradas en el registro para poder ejecutarse en cada inicio del sistema

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Firewall"="%Program Files%\SP2 UPDATE.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Protection"="%Program Files%\Internet Explorer\Norton Internet Security.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"SysRes"="%Program Files%\Internet Explorer\IExpIore .exe"
 

También modifica los siguientes valores para intentar en deshabilitar los niveles de seguridad de la computadora atacada y evitar que se ejecuten las siguientes tareas como ejecutar el Administrador de Tareas, El Editor de Registro (Regedit), ejecutar programas a través de Inicio - Ejecutar y el Windows Update.

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center

"AntiVirusDisableNotify" = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center

"FirewallDisableNotify" = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center

"FirewallOverride" = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center

"AntiVirusOverride" = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center

"UpdatesDisableNotify" = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

"wscsvc" = "4" 

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall

"DomainProfile" = "0"

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile

"EnableFirewall" = "0" 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

"NoFileOpen" = "1"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

"NoPrinting" = "1" 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

"NoBrowserSaveAs" = "1" 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

"NoBrowserClose" = "1" 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

"DisableRegistryTools" = "1" 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

"DisableTaskMgr" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"DisallowRun" = "1" 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"NoRun" = "1"  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"NoFind" = "1"  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

"NoCloseKey" = "1" 

Se copia a si mismo dentro de la carpeta compartida de programas de Intercambio de archivos P2P (KaZaA, KaZaA Lite, BearShare, Edonkey2000, Grokster, KMD, Shareaza y Morpheus) con el nombre de archivo "Torrie & Stacy Nude ScreenSaver.exe"

Luego modifica la siguiente entrada en el registro para asegurarse que los archivos de la carpeta compartida del KaZaA estén compartidos

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"DisableSharing"="0"

Seguidamente copia un archivo de texto dentro de la carpeta raiz del computador con el nombre de archivo "Virus Detected.txt"

También modifica el archivo SCRIPT.INI del mIRC si existe en el computador atacado, agregando una entrada, de esta manera tratara de enviarse a si mismo cuando el usuario se conecte a un canal de chat.

También modifica las siguientes entradas en el registro

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

"RegisteredOwner"="surconfluge"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

"ComputerName" = "surconfluge"

Seguidamente adiciona entradas en el registro para que los siguientes programas no se puedan ejecutar:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"1" = "notepad.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"2" = "wordpad.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"3" = "regedit.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"4" = "msnmsgr.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"5" = "msmsgs.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"6" = "gp4.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"7" = "help.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"8" = "wmplayer.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"10" = "excel.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"11" = "winword.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"12" = "winhelp.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"13" = "wmplayer.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"14" = "winrar.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"15" = "winzip.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"16" = "CLEAN_NOTEPAD.EXE"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"17" = "ACDSee6.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"18" = "acrord32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"19" = "ntbackup.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"20" = "moviemk.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"21" = "defrag.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"23" = "netstat.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"25" = "lupdate"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"26" = "shutdown.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"27" = "sndvol32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"28" = "sndrec32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"30" = "write.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"32" = "dxdiag.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"33" = "ntbackup.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"38" = "dialer.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"39" = "findstr.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"40" = "dllhost.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"44" = "print.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"45" = "trendmicro.com"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"46" = "UPX-iT.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"47" = "NAVW32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"48" = "NAVWNT.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"49" = "NAVSTUB.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"50" = "navui.nsi"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"51" = "CCIMSCN.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"52" = "MSDEV.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"54" = "chktrust.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"55" = "apssm.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"56" = "SNDSrvc.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"57" = "NMain.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"58" = "Ra2.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"59" = "vfp6.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"60" = "setup.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"61" = "install.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"62" = "savscan.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"67" = "ad-aware.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"68" = "remove.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"69" = "uninstall.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"70" = "NeroStartSmart.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"71" = "uninst.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"72" = "isuninst.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"75" = "aawsepersonal.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"76" = "avast.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"78" = "keygen.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"80" = "cmd.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"81" = "project1.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"82" = "1.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"83" = "program.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"84" = "application.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"85" = "file.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"86" = "browser.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"87" = "UNWISE.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"88" = "play.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"89" = "directcd.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"90" = "bind.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"91" = "VPC32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"92" = "VPDN_LU.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"93" = "VPTRAY.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"94" = "DefWatch.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"95" = "DoScan.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"96" = "Integrator.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"97" = "swdoctor.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"98" = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"99" = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

"100" = ".exe"

Intentará finalizar los siguientes procesos utilizando el TASKKILL

• ccapp.exe
• DAP.exe
• DirectX3D.exe
• dllhost.exe
• iexplore.exe
• LSASS.exe
• mdm.exe
• msgmsgr.exe
• regedit.com
• smss.exe
• svchost.exe
• VB6.exe

Finalmente el gusano sobrescribe el archivo HOSTS que se encuentra en %system%\drivers\etc\, para redireccionar direcciones URLs al localhost (127.0.0.1)

• 127.0.0.1 http:/ /oe.msn.msnmail.hotmail.com/cgi-bin/hmdata
• 127.0.0.1 http:/ /services.msn.com/svcs/hotmail/httpmail.asp
• 127.0.0.1 http:/ /www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
• 127.0.0.1 messenger.hotmail.com
• 127.0.0.1 www.about.com
• 127.0.0.1 www.alltheweb.com
• 127.0.0.1 www.altavista.com
• 127.0.0.1 www.download.com
• 127.0.0.1 www.emp3finder.com
• 127.0.0.1 www.geocities.com
• 127.0.0.1 www.google.com
• 127.0.0.1 www.guitar-pro.com
• 127.0.0.1 www.hdpvidz.com
• 127.0.0.1 www.hotmail.com
• 127.0.0.1 www.kazaa.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 www.msn.com
• 127.0.0.1 www.mysongbook.com
• 127.0.0.1 www.nero.com
• 127.0.0.1 www.net2phone.com
• 127.0.0.1 www.regedit.com
• 127.0.0.1 www.rohitab.com
• 127.0.0.1 www.roxio.com
• 127.0.0.1 www.soft32.com
• 127.0.0.1 www.softpedia.com
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.urbanchaosvideos.com
• 127.0.0.1 www.vbcode.com
• 127.0.0.1 www.wwe.com
• 127.0.0.1 www.yahoo.com

Derechos reservados 1992/2005 HackSoft S.R.L. Lima-Perú