أستغفر الله العظيم ... سبحان الله وبحمده



العودة   منتديات داماس > برامج الكمبيوتر والانترنت > برامج


مواضيع مميزة  


آخر عشرة مواضيع المواضيع النشطة


02-02-2004, 10:18 PM
gala غير متصل
عضو فعال
رقم العضوية: 338
تاريخ التسجيل: Jun 2003
المشاركات: 113
إعجاب: 2
تلقى 6 إعجاب على 2 مشاركة
تلقى دعوات الى: 0 موضوع
    #1  

W32.HLLW.Gaobot.O


W32.HLLW.Gaobot.O
MCID 2481

Discovered 1/30/2004
Origin Unknown
Last Update 1/30/2004 9:35:14 PM
Types Back Door,DDoS,Worm
Features Extensible,Memory Resident,Persistent

Risk 2/5 (Low) Severity 9.0

Impact 9.4 Contagion Potential 8.6 Wild Low

Last Change Initial analysis.

Aliases
- -------
WORM_AGOBOT.O

Infection Targets
- -----------------
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP4
Microsoft Windows 95
Microsoft Windows 95 SR2
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0.0
Microsoft Windows NT Enterprise Server 4.0.0 SP1
Microsoft Windows NT Enterprise Server 4.0.0 SP2
Microsoft Windows NT Enterprise Server 4.0.0 SP3
Microsoft Windows NT Enterprise Server 4.0.0 SP4
Microsoft Windows NT Enterprise Server 4.0.0 SP5
Microsoft Windows NT Enterprise Server 4.0.0 SP6
Microsoft Windows NT Enterprise Server 4.0.0 SP6a
Microsoft Windows NT Server 4.0.0
Microsoft Windows NT Server 4.0.0 SP1
Microsoft Windows NT Server 4.0.0 SP2
Microsoft Windows NT Server 4.0.0 SP3
Microsoft Windows NT Server 4.0.0 SP4
Microsoft Windows NT Server 4.0.0 SP5
Microsoft Windows NT Server 4.0.0 SP6
Microsoft Windows NT Server 4.0.0 SP6a
Microsoft Windows NT Terminal Server 4.0.0
Microsoft Windows NT Terminal Server 4.0.0 SP1
Microsoft Windows NT Terminal Server 4.0.0 SP2
Microsoft Windows NT Terminal Server 4.0.0 SP3
Microsoft Windows NT Terminal Server 4.0.0 SP4
Microsoft Windows NT Terminal Server 4.0.0 SP5
Microsoft Windows NT Terminal Server 4.0.0 SP6
Microsoft Windows NT Workstation 4.0.0
Microsoft Windows NT Workstation 4.0.0 SP1
Microsoft Windows NT Workstation 4.0.0 SP2
Microsoft Windows NT Workstation 4.0.0 SP3
Microsoft Windows NT Workstation 4.0.0 SP4
Microsoft Windows NT Workstation 4.0.0 SP5
Microsoft Windows NT Workstation 4.0.0 SP6
Microsoft Windows NT Workstation 4.0.0 SP6a
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1

Summary
- -------
W32.HLLW.Gaobot.O is a worm that spreads through open network shares and
three Windows vulnerabilities. The vulnerabilities it exploits are the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID
8205), the Microsoft Windows Locator Service Buffer Overflow
Vulnerability (BID 6666) and the Microsoft Windows ntdll.dll Buffer
Overflow Vulnerability (BID 7116).

The worm also has the ability to act as a back door server program and
attack other systems. Additionally the worm attempts to kill the process
of many anti-virus and security applications.

Executable Types
- ----------------
File / Binary / Portable Executable (PE)

Infection Vectors
- -----------------
File Transfer / SMB
Remotely Exploitable Vulnerability

Impact
- ------
Payload:
Can be used to perform denial of service attacks against specified
hosts.
Payload:
Sends information about a compromised system to a remote attacker using
IRC.
Payload:
Terminates the processes of antivirus and security applications.
Payload:
Installs an IRC bot on the compromised host.
Collateral Damage:
The worm spreads through network shares which may impact network
bandwidth.

Symptoms
- --------
Creates the following file:
%System%\msnmsxp.exe

Creates the following registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\Run\MSN
Messenger = "msnmsxp.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\RunServices\
MSN Messenger = "msnmsxp.exe"

Technical Description
- ---------------------
W32.HLLW.Gaobot.O is a network worm that spreads through open network
shares. This variant also utilizes three remotely exploitable Windows
vulnerabilities in order to propagate. The vulnerabilities it exploits
are the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
(BID 8205), the Microsoft Windows Locator Service Buffer Overflow
Vulnerability (BID 6666) and the Microsoft Windows ntdll.dll Buffer
Overflow Vulnerability (BID 7116). The worm is also capable of
functioning as an attack tool by performing denial of service attacks.

When executed, it copies itself to the Windows System directory as: %System%\msnmsxp.exe

Next the following registry entries are created to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\Run\MSN
Messenger = "msnmsxp.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\RunServices\
MSN Messenger = "msnmsxp.exe"

The back door component connects to a channel on a remote IRC server
using TCP port 6667 and awaits commands from the remote attacker. The
back door allows the attacker to perform the following actions on the
compromised system:
Execute an MSDOS command.
Open any file.
Modify the IRC nickname of the bot.
Resolve hostname by DNS.
Terminate the bot.
Harvest and display compromised system information.
Enable SMB shares/DCOM.
Disable SMB shares/Disable DCOM.
Display data or messages from remote user.
Display current bot status.
Generate a random IRC nickname for the bot.

The worm will also employ HTTP and FTP servers to:
Visit an attacker specified Web site.
Download and execute an arbitrary file from an attacker specified
Web/FTP site.
Download and apply worm updates from an attacker specified Web/FTP
site.

The worm will then perform a distributed denial of service against a
randomly generated IP address.

The worm will also behave as a proxy to direct attacks to an alternate
system.

The worm then either transmits data to TCP port 135 to exploit the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID
8205), or transmits data to TCP port 445 to exploit the Microsoft Windows
Locator Service Buffer Overflow Vulnerability (BID 6666) or to TCP port
80 to exploit the Microsoft Windows ntdll.dll Buffer Overflow
Vulnerability (BID 7116).

In order to copy itself to network shares, the worm first attempts to
enumerate the following remote administrative SMB shares.
c$
d$
e$
admin$
print$

The worm extracts possible usernames using NetUserEnum() from discovered
shares and uses the harvested usernames in conjunction with the following
username and password combinations, in a bid to authenticate to the
discovered shared folders:
Username:
a
aaa
abc
admin
Dell
Gast
Guest
home
HuTsped
Inviter
InvitT
mgmt
Ospite
Owner
pc
qwer
Standard
temp
Test
test
User
Verwalter
win
x
Administrador
Administrador
Administrateur
Administrator
administrator
asdf
Convidado
Coordinatore
Default
xyz

Password:
abcd
Admin
alpha
computer
godblessyou
ihavenopass
Internet
Login
love
mypass
mypc
oracle
owner
pass
passwd
Password
password
pat
patrick
pw
pwd
root
secret
server
sex
super
sybase
xp
xxx
database
enable
foobar
god
yxcv
zxcv
000000
00000000
007
1
110
111
111111
88888888
2600
54321
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
654321

The worm copies itself and executes on any remote shares or remote
systems that it successfully authenticates to or compromises.

It also attempts to steal cd-keys for the following games:
FIFA 2003
Half-Life
LoMaM
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Neverwinter
NHL 2002
NHL 2003
Nox
Project IGI 2
Red Alert
Red Alert 2
Battlefield 1942 The Road to Rome
Chrome
Command & Conquer Generals
Counter-Strike
FIFA 2002
Soldier of Fortune II - Double Helix
Battlefield 1942
Battlefield 1942 Secret Weapons of WWII
The Gladiators
Tiberian Sun
Unreal Technology 2003

Then the worm will scan for running processes of security and antivirus
software, if it encounters any of the following, it will attempt to
terminate it:
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
ICLOAD95.EXE
ICLOADNT.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
FINDVIRU.EXE
IBMAVSP.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE

Finally the worm will terminate the following processes if they are
found to be running:
dllhost.exe
penis32.exe
tftpd.exe
winhlpp32.exe
winppr32.exe
msblast.exe
mspatch.exe

Mitigating Strategies
- ---------------------
Back door server and trojan horse programs often use enticing file names
to trick users into executing them. Do not open or execute files from
unknown sources.

Use of a firewall or IDS may block or detect back door server
communications with the remote client application.

Turn off file sharing if not needed. If file sharing is required, use
ACLs and password protection to limit access.

Apply Microsoft security patch described in Microsoft Security Bulletin
MS03-026.

Apply Microsoft security patch described in Microsoft Security Bulletin
MS03-001.

Apply Microsoft security patch described in Microsoft Security Bulletin
MS03-007.

Disinfection
- ------------
Delete the following file:
%System%\msnmsxp.exe

Delete the following registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\Run\MSN
Messenger = "msnmsxp.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ndows\CurrentVersion\RunServices\
MSN Messenger = "msnmsxp.exe"

Reboot the system.

Due to the ability of the remote user to perform so many different
actions on the server system, including installation of applications, it
is highly recommended that compromised systems be completely
reinstalled.

References
- ----------
Trend Micro WORM_AGOBOT.O

http://www.trendmicro.com/vinfo/viru...Name=WORM_AGOB
OT.O

W32.HLLW.Gaobot.O

الموضوع: W32.HLLW.Gaobot.O بقسم برامج




06-02-2004, 08:53 AM
Abu Taha غير متصل
ضيف شرف
رقم العضوية: 334
تاريخ التسجيل: Jun 2003
المشاركات: 596
إعجاب: 0
تلقى 3 إعجاب على 2 مشاركة
تلقى دعوات الى: 0 موضوع
    #2  

شكراً للأخ الفاضل Gala على هذه المعلومات القيمة وأحببت الاشارة الى أن هذه الدودة الفيروسية هي نسخة من سلسلة الدودة الرئيسية W32.HLLW.Gaobot والتي برغم سهولة القضاء عليها الا إنها من الممكن أن تُـسبب بعض الازعاج في الجهاز حيث امكانية تغيير اسمها تلقائياً الى أحد برامج الويندوز كالمسنجر مثلاً ومن ثم تحاول القضاء على ملفات برامج صد الفيروسات العاملة مما يُـساهم بشكل مباشر في تسهيل عملية الاختراق وهنا يكمن خطرها الحقيقي.

وكغيرها من اخواتها من الفيروسات الدودية، فإن أبسط وسيلة لمنعها هو عدم تحميل وفتح أي ملف عن طريق البريد الالكتروني الا المعروف منها وبعد فحصه ببرنامج الحماية. وإن حدث وأُصيب الجهاز بها، فيكمن أحد الحلول الكثيرة لحذفها بتحديث مضاد الفيروسات لديك وتحديث نظام التشغيل لديك من موقع الميكروسوفت ومن ثم القضاء عليها.


ولعل ما لم يُـشر اليه موقع Pc-Cillin هو أن هذه الدودة الفيروسية قابلة للتطوير وهو مايُـشكل خطراً على المدى البعيد .


تحياتي


 


W32.HLLW.Gaobot.O

English

Powered by vBulletin® Version
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
The owner and operator of the site is not responsible for the availability of, or any content provided.
Topics that are written in the site reflect the opinion of the author.
جميع ما يُطرح من مواضيع ومشاركات تعبر عن رأي كاتبها ولا تعبر عن رأي مالك الموقع أو الإدارة بأي حال من الأحوال.