| |
Descrizione: |
Worm/Lovgate.BJ is a memory resident network aware Internet worm that spreads over open network shares, as well as, over email using its own SMTP engine.
If executed, the worm copies itself in the \windows\%system% directory under the filenames:
- TkBellExe.exe
- Update_OB.exe
- hxdef.exe
- real.exe
- IEXPLORE.EXE
- kernel66.dll
It will also copies itself in:
- C:\Windows\Video.EXE
- In the root of all drives under the filname "upDate.exe"
The following files are added:
- C:\Windows\system32\ODBC16.dll
- C:\Windows\system32\msjdbc11.dll
- C:\Windows\system32\MSSIGN30.DLL
- C:\Windows\system32\winPatch.dll
- C:\Windows\Office.exe
- In the root of all drives under the filename "AUTORUN.INF"
All .exe files in every directory it locates in C:\Documents and Settings\ with the file "Office.exe". The files will maintain their original filenames and the files will have variable file sizes.
It will then add the following registry keys to make sure teh worm is executed each time Windows is restarted:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinHelp"="C:\\WINDOWS\\System32\\TkBellExe.exe"
"Soft Profile Inc"="C:\\WINDOWS\\System32\\hxdef.exe"
"Microsoft Inc."="iexplorer.exe"
"VFW Encoder/Decoder Settings"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
"Program In Windows"="C:\\WINDOWS\\System32\\IEXPLORE.EXE"
"Protected Storage"="RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run"="real.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices
"SystemTra"="C:\\WINDOWS\\Video.EXE"
"Installed shell32.dll"="Office.exe"
This key modification (below) allows it to execute each time an .txt file is launched:
- HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="Update_OB.exe %1"
The following keys are also added:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):52,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,\
78,00,65,00,20,00,6d,00,73,00,6a,00,64,00,62,00,63,00,31,00,31,00,2e,00,64,\
00,6c,00,6c,00,20,00,6f,00,6e,00,64,00,6c,00,6c,00,5f,00,73,00,65,00,72,00,\
76,00,65,00,72,00,00,00
"DisplayName"="_reg"
"ObjectName"="LocalSystem"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg\Security
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 |
