ca888,www.ca888com,亚洲城ca888

.关于Doomhunter 蠕虫病毒的紧急通告

发布时间:2012-12-25 15:41:47 | 编辑:stu1

 

2010-11-06 kaida 点击:[ 1]

本文由 kaida 于2004 2月 18 at 8:03pm 发表,已被阅读 26048 次

先放个英文的,没时间翻译了.

http://securityresponse.symantec.com/avcenter/venc/data/w32.doomhunter.html

http://www.perantivirus.com/sosvirus/virufamo/doomhunt.htm

http://www.esecurityplanet.com/alerts/print.php/1031_3312861

http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=WORM_DOOMHUNTR.A&VSect=T

W32.Doomhunter

 

 

Last Updated on: February 14, 2004 03:58:39 PM
W32.Doomhunter is a worm that attempts to spread to the machines that are infected with W32.Mydoom@mm variants.

 

 

   
   
Type: Worm
Infection Length: 5,120
   
   
   
Systems Affected: Windows 2000, Windows XP
   
   
   
   

protection
  • Virus Definitions (Intelligent Updater) *

February 13, 2004

  • Virus Definitions (LiveUpdate™) **

February 18, 2004

 

 

 

Wild:

  • Number of infections: 0 - 49
  • Number of sites: 0 - 2
  • Geographical distribution: Low
  • Threat containment: Easy
  • Removal: Easy
 

 

 

Damage

  • Payload Trigger: n/a
  • Payload: n/a
    • Large scale e-mailing: n/a
    • Deletes files: n/a
    • Modifies files: n/a
    • Degrades performance: n/a
    • Causes system instability: n/a
    • Releases confidential info: n/a
    • Compromises security settings: n/a

Distribution

  • Subject of email: n/a
  • Name of attachment: n/a
  • Size of attachment: n/a
  • Time stamp of attachment: n/a
  • Ports: n/a
  • Shared drives: n/a
  • Target of infection: Attempts to spread itself to the machines infected with W32.Mydoom.A@mm.



When W32.Doomhunter runs, it does the following:

  1. Copies itself as %System%\worm.exe.


    Note: %System% is a variable. The worm locates the System folder and copies itself to that location.
  2.  By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000),or C:\Windows\System32 (Windows XP).

     
  3. Adds the value:

    "Delete Me"="worm.exe"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows®.

     
  4. Deletes the default value in the registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


    Note:
  1. W32.Mydoom.A@mm and W32.Mydoom.B@mm modify this key

  2. Displays various messages when running, such as the following examples:








    Note: All the messages have "Mydoom removal worm (DDOS the RIAA!!)" in the title bar.

     
  3. Terminates the following processes, which the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm,and W32.Blaster.C.Worm, may create:
    • SHIMGAPI.DLL
    • CTFMON.DLL
    • REGEDIT.EXE
    • TEEKIDS.EXE
    • MSBLAST.EXE
    • EXPLORER.EXE
    • TASKMON.EXE
    • INTRENAT.EXE


      Note: All the Windows operating systems have a legitimate system process titled explorer.exe.

       
  4. Deletes the following files from the System folder, which are associated with the worms W32.Mydoom.A@mm, W32.Mydoom.B@mm, W32.Blaster.Worm, and W32.Blaster.C.Worm:
    • SHIMGAPI.DLL
    • CTFMON.DLL
    • REGEDIT.EXE
    • TEEKIDS.EXE
    • MSBLAST.EXE
    • EXPLORER.EXE
    • TASKMON.EXE
    • INTRENAT.EXE


      Notes:
    • The legitimate system file explorer.exe exists in the %Windir% folder on all the Windows systems.
    • %Windir% is a variable for the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

       
  5. Listens on TCP port 3127.

    Note: Port 3127 is the port that the backdoor component of W32.Mydoom.A@mm opened.

     
  6. If the connection is established, the worm first sends five bytes to the remote computer. Then, it sends acopy of itself to the remote computer. The backdoor component of W32.Mydoom.A@mm will accept the file and then execute it.



Doomhunt Worm Targets Computers Infected With Mydoom Worms
By
February 13, 2004

 

Several low level alerts have been issued for W32/DoomHunt-A, a worm that spreads to computers

infected with the W32/MyDoom-A and W32/MyDoom-B worms and terminates processes and removes files associated with these worms.

W32/DoomHunt-A listens for connections on port 3127, according to Sophos. If a connection is

made the worm sends back a copy of itself to be executed on the remote computer.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
W32/DoomHunt-A will terminate the following processes:
SHIMGAPI.DLLM
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE
SHIMGAPI.DLL
CTFMON.DLL
REGEDIT.EXE
TEEKIDS.EXE
MSBLAST.EXE
EXPLORER.EXE
TASKMON.EXE
INTRENAT.EXE

Instructions for removing worms are atthis Sophos page.

McAfee recognizes the worm as W32/Doomhunter.32, and reports that it is written in MSVC and is

designed to propagate to systems infected with W32/Mydoom.a@MM or W32/Mydoom.b@MM Once

running on such machines, it then attempts to remove these infections from such machines.

Upon execution, W32/Doomhunter.worm copies itself to the %SysDir% directory as WORM.EXE. For example:
C:\WINNT\SYSTEM32\WORM.EXE
(Certain message boxes are displayed if the worm is run in a debug mode.)

It then adds to the following Registry key to hook system startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "DELETE ME" = "worm.exe"

Certain processes are terminated if running on the machine. The files associated with such processes are then deleted:
CTFMON.DLL
EXPLORER.EXE
TEEKIDS.EXE
INTRENAT.EXE
TASKMON.EXE
MSBLAST.EXE
REGEDIT.EXE
SHIMGAPI.DLL

The following Registry key (W32/Mydoom related) is also removed:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 (Default)

During this 'cleaning' various message boxes are displayed. They all share a common window title:
Mydoom removal worm (DDOS the RIAA!!)

The worm listens on port 3127 (TCP) for any incoming connections (whether or not they are viral related).

Upon such a connection the worm attempts to send itself to the connecting IP address (via the W32/Mydoom backdoor).

More information is at this McAfee page.

W32.Doomhunter is a worm that attempts to spread to the machines that are previously infected with W32.Mydoom.A@mm.

Technical details are at this Symantec page.

According to Trend Micro, WORM_DOOMHUNTR.A is a memory resident worm that propagates via systems

that are infected with WORM_MYDOOM.A and WORM_MYDOOM.B. This malware downloads and executes itself on these infected systems.

It has the ability to terminate processes associated with the MYDOOM and MSBLAST worms. It also deletes files

that are also associated with the said worms.

This malware also displays several message boxes, depending on the routine that it does on the system.

It runs on Windows 95, 98, ME, NT, 2000 and XP.

Technical details are at this Trend Micro page.

kaida38035.840474537
 

上一条:关于加强校园网安全及计算机病毒防范的通知 下一条:请关注:W32.Welchia.Worm病毒

关闭

 
 
 

 

XML 地图 | Sitemap 地图