Infoweb 2000 di Ribaudo Grazia servizi internet servizi web consulenza e servizi marketing servizi grafici news servizi infoweb 2000 area clienti Infoweb 2000
[news infoweb 2000]  [bollettino virus]  [educazione al web]  [netiquette]  [glossario]  [faq]  [linkexchange]  [home]
Sviluppo applicazioni web in cfml 09-03-08
ACQUISIZIONI 2008 - CIVICO MUSEO PARISI-VALLE
Inaugurazione domenica 9 marzo ore 17.30. Grazia Ribaudo tra gli artisti acquisiti nel 2008 dal Civico Museo Parisi-Valle di Maccagno (VA).

04-06-04 - Worm/Padobot.F

BASSO Alias: W32.Korgo.F
  Tipo: Internet Worm
  Dimensione: 10,752 bytes
  Piattaforma: Windows XP, Windows server 2003
     
  Descrizione: Worm/Padobot.F is an Internet worm that spreads by exploiting a known Windows LSASS (Local Security Authority Subsystem Service) vulnerablility. This vulnerability allows for complete control of an affected system and allows someone with malicious intent to execute code of their choice on the compromised system.

This worm affects users running Windows 2000, Windows XP, and Windows 2003 Server. The Windows patch can be installed from the following location:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

If executed, the worm first attempts to delete the file "ftpupd.exe" from the directory in which it was executed. It will then search out and delete the following registry keys:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"system service manager"
"system Restore service"
"Loader" offered
"Windows update service"
"WinUpdate"
"Windows Security manager"
"avserve.exe"
"avserve2.exe"

It will then examine whether the following registry entry is already present:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"disk Defragmenter"="%%"

If it is not present, the worm will add the following registry entry:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
"Client"="1"

If the registry entry "disk Defragmenter" is present, the worm creates a randomly generated filename and copies it into the Windows system listing. It creates the following registry entry:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"disk Defragmenter"="%System%\%random_name%.exe"

The worm tries to announce itself as the EXPLORER.EXE processtask. This is done so that it avoids being listed in the task list and isn't really recognized.

Worm/Padobot.F listens on the following TCP ports:

- 113
- 3067

If the worm is successful on communicating over those ports, it will try to upload a copy of itself. It also tries to establish a connection using the following IRC servers on the TCP port 6667:

- gaspode.zanet.org.za
- lia.zanet.net
- irc.tsk.ru
- london.uk.eu.undernet.org
- washington.dc.us.undernet.org
- loose angeles.ca.us.undernet.org
- brussels.be.eu.undernet.org
- caen.fr.eu.undernet.org
- flanders.be.eu.undernet.org
- graz.at.eu.undernet.org
- moscow advocat.ru
- gaz prom.ru

The worm will start an attack on the TCP port 445 by using Microsoft's LSASS vulnerablity . If successful, the contacted computer tries to connect itself with the host system to download and the worm.
  Consigli:
     
  Link Utili: http://punto-informatico.it/salvapc/index.asp
    http://www.centralcommand.com/virus_descriptions.html





SalvaPC aiuta a difendere il tuo pc!
 
[home] [privacy] INFOWEB 2000, Via XXIV Maggio 10, 20030 Bovisio Masciago (MI)
Tel. 0362.593888, Fax 0362.571270, info@infoweb2000.com