W32.Wapomi.C

Informacje o najnowszych zagrożeniach i sposobach leczenia
Awatar użytkownika
cosik_ktosik

Administrator
Posty: 21399
Rejestracja: 13 lis 2008, 01:17
Lokalizacja: Szczecin
Kontaktowanie:
Skontaktuj się z cosik_ktosik

W32.Wapomi.C

Post06 sty 2011, 02:03

Nazwa: W32.Wapomi.C
Typ: Robak
Źródło: Symantec
System: Windows

Działanie:
Po uruchomieniu sprawdza statusy usług:

Kod: Zaznacz cały

    * AppMgmt (appmgmts.dll)
    * BITS (qmgr.dll)
    * Browser (browser.dll)
    * CryptSvc (cryptsvc.dll)
    * EventSystem (es.dll)
    * FastUserSwitchingCompatibility (shsvcs.dll)
    * helpsvc (pchsvc.dll)
    * Netman (netman.dll)
    * Nla (mswsock.dll)
    * Ntmssvc (ntmssvc.dll)
    * RemoteRegistry (regsvc.dll)
    * Schedule (schedsvc.dll)
    * SSDPSRV (ssdpsrv.dll)
    * Tapisrv (tapisrv.dll)
    * upnphost (upnphost.dll)
    * WmdmPmSN (mspmsnsv.dll)
    * xmlprov (xmlprov.dll)



Gdy znajdzie nieuruchomioną usługę, podmienia jej DLL ze swoją kopią i restartuje usługę.

Tworzy plik i ukrywa w nim Hacktool.Rootkit:
%Windir%\[RANDOM CHARACTERS].sys

Dodaje klucze rejestru:

Kod: Zaznacz cały

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%SystemRoot%\[RANDOM CHARACTERS].sys"
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Start" = "3"
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Type" = "1"


Zmienia wpisy w rejestrze aby wyłączyć ochronę antywirusową:

Kod: Zaznacz cały

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[CHINESE CHARACTERS].exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avfwsvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwengine.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmgui.e\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmsvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spideragent.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpIDerMl.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\"Debugger" = "ntsd -d"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe\"Debugger" = "ntsd -d"



Zmienia tryb bezpieczny Safe Mode :

Kod: Zaznacz cały

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal



Zmienia także wpisy:

Kod: Zaznacz cały

    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\"Start" = "3"
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641}\"Service" = "drmkaud"



Zmienia ruch sieciowy w pliku:

Kod: Zaznacz cały

%Windir%\drivers\etc\hosts.txt



Zaraża pliki w folderach:

Kod: Zaznacz cały

    * Common Files
    * ComPlus Applications
    * Documents and Settings
    * InstallShield Installation Information
    * Internet Explorer
    * Messenger
    * Microsoft FrontPage
    * Movie Maker
    * MSN Gaming Zone
    * NetMeeting
    * Outlook Express
    * RECYCLER
    * System Volume Information
    * WINDOWS
    * Windows Media Player
    * Windows NT
    * WinNT



The virus also attempts to infect executable files that are accessed on the compromised computer by appending its code to the body of the executable.

Może infekować pliki:

Kod: Zaznacz cały

    * htm
    * html
    * asp
    * aspx


Na dyskach wymiennych instaluje się w pliku:

Kod: Zaznacz cały

%DriveLetter%\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\uninstall.exe


Utworzony folder może przyjąć ikonę Windows Recycle Bin (śmietnika).

Na dysku wymiennym uruchamia się z pliku:

Kod: Zaznacz cały

%DriveLetter%\autorun.inf


Próbuje również infekować pliki wykonywalne znajdujące się w archiwum RAR na udostępnionych dyskach sieciowych.

W celu usunięcia szkodnika radzimy opisać swój problem w dziale Bezpieczeństwo tego forum.
Hotfix
Pozdrawiam, cosik_ktosik :)
Na górę

  • Reklama

Wróć do „Zagrożenia i leczenie”



Kto jest online

Użytkownicy przeglądający to forum: Obecnie na forum nie ma żadnego zarejestrowanego użytkownika i 3 gości