genius
Misafir Üye
en begendigim hosting firmalarindan biri psychz.net gercekten iyi hizmet veriyorlar fakat çekemeyenleri çok. Her bulastigi makineden siteye dosattack yapan WORM_AGOBOT.IN virüsü de bunu gosteriyor. Benim de orada hostingim var fakat iyi bir hosting firmasi olusunun yaninda , uptime oraninin düsmesi beni rahatsiz ediyor. Her ne kadar iyi hizmet verseler de dosattacklar yüzünden cekilemez hale geldi orada hosting musterisi olmak. bu da yazilan virüsün ayrintilari :
bu virüs ayrica girdigi bilgisayarlardan bilgi hırsızlıklari yapip , girdigi bilgisayarlari smtp olarak kullanip sırf psychz.net\'e degil bircok kullaniciya da zarar veriyor. Psychz.net i bırakmanin zamaninin geldigini üzülerek soyluyorum...Language: English
Platform: Windows 2000, XP
Encrypted: No
Size of virus: 663,552 Bytes
Pattern file needed: 1.868.25
Scan engine needed: 6.500
Discovered: Apr. 25, 2004
Detection available: Apr. 25, 2004
Details:
Installation and Autostart Techniques
This memory-resident worm drops a copy of itself as the file WINSYS32.EXE in the Windows system folder.
To enable its automatic execution at every system startup, it creates the following registry entries:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\
Windows\\CurrentVersion\\Run
Config Loadr = \"winsys32.exe\"
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\
Windows\\CurrentVersion\\RunServices
Config Loadr = \"winsys32.exe\"
This malware sets itself as a service by creating the following registry entries and placing important service data in the keys:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Enum\\
Root\\LEGACY_CFDLGR
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\CfdLgr
It uses the service name CfdLgr with the display name Config Loadr.
It hides all files and folders that start with the text string soun. It also deletes the original file and transfers the control to the dropped file.
Network Propagation and Exploits
To propagate into systems running Windows XP, this worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, which allows an attacker to gain full access and execute any code on a target machine.
Read more on this vulnerability from the following page:
Microsoft Security Bulletin MS03-026
This worm looks for vulnerable Windows XP machines on the network by scanning for random TCP/IP addresses on port 135.
It also uses the RPC Locator vulnerability, which affects Windows NT-based systems. It searches for vulnerable WinNT machines on the network by incrementally scanning TCP/IP addresses on port 445.
More information on this vulnerability is available from the following Microsoft page:
Microsoft Security Bulletin MS03-001
It also exploits the IIS5/WEBDAV buffer overrun, which affects Windows NT-based systems and allows the execution of arbitrary codes. The following link offers more information from Microsoft about this vulnerability:
Microsoft Security Bulletin MS03-007
This worm copies and executes itself on vulnerable systems.
It searches for the following default network shares:
* admin$
* c$
* ipc$
* print$
It uses the default shares to determine access and copies itself to the shared folders as WINUSER32.EXE if it has full access rights. However, if these shared folders have restricted access rights, it attempts force its way into the systems by logging on using a list of user names and passwords.
Denial of Service Attack
This worm allows remote users to launch the following types of flood attacks from infected machines against a target site:
* PING flood
* UDP flood
* SYN flood
* HTTP flood
It launches denial of sevice (DoS) attacks against the following Web sites:
* eclipse.psychz.net
* Global-Dimension.org
* harr0.com
* psychz.net
* rizon.net
* rolo.psychz.net
* ryan1918.com
* starburst.psychz.net
* www.Global-Dimension.org
* www.harr0.com
* www.rizon.net
* www.ryan1918.com
Backdoor Capabilities
This worm has backdoor capabilities. It connects to an IRC (Internet Relay Chat) server and automatically joins a specific channel, where it listens for commands coming from a remote user. It executes commands locally on the affected machines, providing remote users virtual control over affected systems.
It acts as a bot that responds to private messages with specific keyword triggers. The following are the corresponding actions it performs:
* Change bot settings
* Check bot status
* Control an IRC server where the bot is connected
* Delete or add a service or an autostart entry
* Disable or enable shell handler
* Display information about the bot
* Display system information
* Download, update and execute file from a Web site
* Download, update and execute file from FTP
* Enable or delete shares from a host system
* Enable or disable DCOM from the host system
* Execute a .EXE file
* Get list of CD keys
* Kill a process
* List all system processes
* List available bot commands
* Log off current user
* Open a file
* Perform a Distributed Denial of Service (DDoS) attack and port redirection
* Perform FTP and HTTP operations
* Perform IRC operations
* Quit the bot
* Resolve IP or host name by DNS
* Shutdown or restart machine
* Visit a Web site
Information Theft
This worm steals the CD keys of the following popular games:
* Battlefield 1942
* Battlefield 1942 Secret Weapons of WWII
* Battlefield 1942 The Road to Rome
* Chrome
* Command & Conquer Generals
* Counter-Strike
* FIFA 2002
* FIFA 2003
* Half-Life
* Hidden and Dangerous 2
* Legends of Might and Magic
* Nascar Racing 2002
* Nascar Racing 2003
* Need For Speed Hot Pursuit 2
* Neverwinter Nights
* NHL 2002
* NHL 2003
* NOX
* Project IGI 2
* Red Alert
* Red Alert 2
* Soldier of Fortune II - Double Helix
* The Gladiators
* Tiberian Sun
* Unreal Tournament 2003
Antivirus Retaliation
This worm terminates the following processes, which includes antivirus and firewall programs:
* _AVP32.EXE
* _AVPCC.EXE
* _AVPM.EXE
* AckWin32.EXE
* ACKWIN32.EXE
* ADVXDWIN.EXE
* AGENTSVR.EXE
* agentw.EXE
* ALERTSVC.EXE
* ALOGSERV.EXE
* AMON9X.EXE
* ANTI-TROJAN.EXE
* ANTIVIRUS.EXE
* ANTS.EXE
* APIMONITOR.EXE
* APLICA32.EXE
* apvxdwin.EXE
* APVXDWIN.EXE
* ATCON.EXE
* ATGUARD.EXE
* ATRO55EN.EXE
* ATUPDATER.EXE
* ATWATCH.EXE
* AUPDATE.EXE
* AUTODOWN.EXE
* AutoTrace.EXE
* AUTOUPDATE.EXE
* AVCONSOL.EXE
* AVE32.EXE
* AVGCC32.EXE
* Avgctrl.EXE
* AVGCTRL.EXE
* AVGNT.EXE
* AvgServ.EXE
* AVGSERV.EXE
* AVGSERV9.EXE
* AVGUARD.EXE
* AVGW.EXE
* avkpop.EXE
* AvkServ.EXE
* avkservice.EXE
* avkwctl9.EXE
* AVNT.EXE
* AVP.EXE
* AVP32.EXE
* AVPCC.EXE
* AVPDOS32.EXE
* avpm.EXE
* AVPM.EXE
* AVPTC32.EXE
* AVPUPD.EXE
* Avsched32.EXE
* AvSynMgr.AVSYNMGR.EXE
* AVWIN95.EXE
* AVWINNT.EXE
* AVWUPD32.EXE
* AVWUPSRV.EXE
* AVXMONITOR9X.EXE
* AVXMONITORNT.EXE
* AVXQUAR.EXE
* BD_PROFESSIONAL.EXE
* BIDEF.EXE
* BIDSERVER.EXE
* BIPCP.EXE
* BIPCPEVALSETUP.EXE
* BISP.EXE
* blackd.EXE
* BLACKD.EXE
* BlackICE.EXE
* BLACKICE.EXE
* BOOTWARN.EXE
* BORG2.EXE
* BS120.EXE
* ccApp.EXE
* ccEvtMgr.EXE
* ccPxySvc.EXE
* CDP.EXE
* CFGWIZ.EXE
* CFIADMIN.EXE
* CFIAUDIT.EXE
* CFINET.EXE
* CFINET32.EXE
* Claw95.EXE
* Claw95cf.EXE
* CLAW95CF.EXE
* CLEAN.EXE
* cleaner.EXE
* CLEANER.EXE
* cleaner3.EXE
* CLEANER3.EXE
* CLEANPC.EXE
* CMGRDIAN.EXE
* CMON016.EXE
* CONNECTIONMONITOR.EXE
* cpd.EXE
* CPD.EXE
* CPF9X206.EXE
* CPFNT206.EXE
* CTRL.EXE
* CV.EXE
* CWNB181.EXE
* CWNTDWMO.EXE
* defalert.EXE
* defscangui.EXE
* DEFWATCH.EXE
* DEPUTY.EXE
* DOORS.EXE
* DPF.EXE
* DPFSETUP.EXE
* DRWATSON.EXE
* DRWEB32.EXE
* DVP95.EXE
* DVP95_0.EXE
* ECENGINE.EXE
* EFPEADM.EXE
* ENT.EXE
* ESAFE.EXE
* ESCANH95.EXE
* ESCANHNT.EXE
* ESCANV95.EXE
* ESPWATCH.EXE
* ETRUSTCIPE.EXE
* EVPN.EXE
* EXANTIVIRUS-CNET.EXE
* EXE.AVXW.EXE
* EXPERT.EXE
* F-AGNT95.EXE
* fameh32.EXE
* FAST.EXE
* fch32.EXE
* fih32.EXE
* FINDVIRU.EXE
* FIREWALL.EXE
* FLOWPROTECTOR.EXE
* fnrb32.EXE
* FPROT.EXE
* F-PROT.EXE
* F-PROT95.EXE
* FP-WIN.EXE
* FP-WIN_TRIAL.EXE
* FRW.EXE
* fsaa.EXE
* FSAV.EXE
* fsav32.EXE
* FSAV530STBYB.EXE
* FSAV530WTBYB.EXE
* FSAV95.EXE
* fsgk32.EXE
* fsm32.EXE
* fsma32.EXE
* fsmb32.EXE
* f-stopw.EXE
* F-STOPW.EXE
* gbmenu.EXE
* GBMENU.EXE
* gbpoll.EXE
* GBPOLL.EXE
* GENERICS.EXE
* GUARD.EXE
* GUARDDOG.EXE
* HACKTRACERSETUP.EXE
* HTLOG.EXE
* HWPE.EXE
* iamapp.EXE
* IAMAPP.EXE
* iamserv.EXE
* IAMSERV.EXE
* IAMSTATS.EXE
* IBMASN.EXE
* IBMAVSP.EXE
* ICLOAD95.EXE
* ICLOADNT.EXE
* ICMON.EXE
* ICSUPP95.EXE
* ICSUPPNT.EXE
* IFACE.EXE
* IFW2000.EXE
* IOMON98.EXE
* IPARMOR.EXE
* IRIS.EXE
* ISRV95.EXE
* JAMMER.EXE
* JEDI.EXE
* KAVLITE40ENG.EXE
* KAVPERS40ENG.EXE
* KAVPF.EXE
* KERIO-PF-213-EN-WIN.EXE
* KERIO-WRL-421-EN-WIN.EXE
* KERIO-WRP-421-EN-WIN.EXE
* KILLPROCESSSETUP161.EXE
* LDNETMON.EXE
* LDPRO.EXE
* LDPROMENU.EXE
* LDSCAN.EXE
* LOCALNET.EXE
* LOCKDOWN.EXE
* lockdown2000.EXE
* LOCKDOWN2000.EXE
* LOOKOUT.EXE
* LSETUP.EXE
* LUALL.EXE
* LUAU.EXE
* LUCOMSERVER.EXE
* LUINIT.EXE
* LUSPT.EXE
* MCAGENT.EXE
* MCMNHDLR.EXE
* Mcshield.EXE
* MCTOOL.EXE
* MCUPDATE.EXE
* MCVSRTE.EXE
* MCVSSHLD.EXE
* MFW2EN.EXE
* MFWENG3.02D30.EXE
* MGAVRTCL.EXE
* MGAVRTE.EXE
* MGHTML.EXE
* MGUI.EXE
* MINILOG.EXE
* Monitor.EXE
* MONITOR.EXE
* MOOLIVE.EXE
* MPFAGENT.EXE
* MPFSERVICE.EXE
* MPFTRAY.EXE
* MRFLUX.EXE
* MSCONFIG.EXE
* MSINFO32.EXE
* MSSMMC32.EXE
* MU0311AD.EXE
* MWATCH.EXE
* N32SCANW.EXE
* NAV Auto-Protect.NAV80TRY.EXE
* NAVAP.navapsvc.EXE
* NAVAPSVC.EXE
* NAVAPW32.EXE
* NAVDX.EXE
* NAVENGNAVEX15.NAVLU32.EXE
* NAVLU32.EXE
* NAVNT.EXE
* NAVSTUB.EXE
* Navw32.EXE
* NAVW32.EXE
* NAVWNT.EXE
* NC2000.EXE
* NCINST4.EXE
* NDD32.EXE
* NEOMONITOR.EXE
* NeoWatchLog.EXE
* NETARMOR.EXE
* NETINFO.EXE
* NETMON.EXE
* NETSCANPRO.EXE
* NETSPYHUNTER-1.2.EXE
* NETSTAT.EXE
* NETUTILS.EXE
* NISSERV.EXE
* NISUM.EXE
* NMAIN.EXE
* NOD32.EXE
* NORMIST.EXE
* NORTON_INTERNET_SECU_3.0_407.EXE
* notstart.EXE
* NPF40_TW_98_NT_ME_2K.EXE
* NPFMESSENGER.EXE
* NPROTECT.EXE
* npscheck.EXE
* NPSSVC.EXE
* NSCHED32.EXE
* ntrtscan.EXE
* NTVDM.EXE
* NTXconfig.EXE
* Nui.EXE
* Nupgrade.EXE
* NVARCH16.EXE
* NVC95.EXE
* nvsvc32.EXE
* NWINST4.EXE
* NWService.EXE
* NWTOOL16.EXE
* OSTRONET.EXE
* OUTPOST.EXE
* OUTPOSTINSTALL.EXE
* OUTPOSTPROINSTALL.EXE
* PADMIN.EXE
* PANIXK.EXE
* PAVCL.EXE
* pavproxy.EXE
* PAVPROXY.EXE
* PAVSCHED.EXE
* PAVW.EXE
* PCC2002S902.EXE
* PCC2K_76_1436.EXE
* PCCIOMON.EXE
* pccntmon.EXE
* pccwin97.EXE
* PCCWIN98.EXE
* PCDSETUP.EXE
* PCFWALLICON.EXE
* PCIP10117_0.EXE
* pcscan.EXE
* PDSETUP.EXE
* PERISCOPE.EXE
* PERSFW.EXE
* PERSWF.EXE
* PF2.EXE
* PFWADMIN.EXE
* PINGSCAN.EXE
* PLATIN.EXE
* POP3TRAP.EXE
* POPROXY.EXE
* POPSCAN.EXE
* PORTDETECTIVE.EXE
* PORTMONITOR.EXE
* PPINUPDT.EXE
* PPTBC.EXE
* PPVSTOP.EXE
* prcview.EXE
* procdump.EXE
* PROCESSMONITOR.EXE
* PROCEXPLORERV1.0.EXE
* PROGRAMAUDITOR.EXE
* PROPORT.EXE
* PROTECTX.EXE
* PSPF.EXE
* PURGE.EXE
* PVIEW95.EXE
* QCONSOLE.EXE
* QSERVER.EXE
* rapapp.EXE
* RAV7.EXE
* RAV7WIN.EXE
* RAV8WIN32ENG.EXE
* REALMON.EXE
* REGEDIT.EXE
* REGEDT32.EXE
* RESCUE.EXE
* RESCUE32.EXE
* RRGUARD.EXE
* RSHELL.EXE
* rtvscan.EXE
* RTVSCN95.EXE
* RULAUNCH.EXE
* SAFEWEB.EXE
* sbserv.EXE
* SBSERV.EXE
* SCAN32.EXE
* SCAN95.EXE
* SCANPM.EXE
* SCRSCAN.EXE
* SD.EXE
* SERV95.EXE
* SETUP_FLOWPROTECTOR_US.EXE
* SETUPVAMEEVAL.EXE
* SFC.EXE
* SGSSFW32.EXE
* SH.EXE
* SHELLSPYINSTALL.EXE
* SHN.EXE
* SMC.EXE
* SOFI.EXE
* SPF.EXE
* Sphinx.EXE
* SPHINX.EXE
* SPYXX.EXE
* SS3EDIT.EXE
* ST2.EXE
* SUPFTRL.EXE
* SUPPORTER5.EXE
* SWEEP95.EXE
* SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
* SymProxySvc.EXE
* SYMPROXYSVC.EXE
* SYMTRAY.EXE
* SYSEDIT.EXE
* taskmgr.EXE
* TASKMON.EXE
* TAUMON.EXE
* TBSCAN.EXE
* TC.EXE
* TCA.EXE
* TCM.EXE
* TDS2-98.EXE
* TDS2-NT.EXE
* TDS-3.EXE
* TFAK.EXE
* TFAK5.EXE
* TGBOB.EXE
* TITANIN.EXE
* TITANINXP.EXE
* TRACERT.EXE
* TRJSCAN.EXE
* TRJSETUP.EXE
* TROJANTRAP3.EXE
* UNDOBOOT.EXE
* UPDATE.EXE
* vbcmserv.EXE
* VBCMSERV.EXE
* VbCons.EXE
* VBCONS.EXE
* VBUST.EXE
* VBWIN9X.EXE
* VBWINNTW.EXE
* VCSETUP.EXE
* VET32.EXE
* Vet95.EXE
* VET95.EXE
* VetTray.EXE
* VETTRAY.EXE
* VFSETUP.EXE
* VIR-HELP.EXE
* VIRUSMDPERSONALFIREWALL.EXE
* VNLAN300.EXE
* VNPC3000.EXE
* VPC32.EXE
* VPC42.EXE
* VPFW30S.EXE
* VPTRAY.EXE
* VSCAN40.EXE
* VSCENU6.02D30.EXE
* VSCHED.EXE
* VSECOMR.EXE
* vshwin32.EXE
* VSISETUP.EXE
* VSMAIN.EXE
* vsmon.EXE
* VSMON.EXE
* VSSTAT.EXE
* VSWIN9XE.EXE
* VSWINNTSE.EXE
* VSWINPERSE.EXE
* W32DSM89.EXE
* W9X.EXE
* WATCHDOG.EXE
* WEBSCANX.EXE
* WEBTRAP.EXE
* WFINDV32.EXE
* WGFE95.EXE
* WHOSWATCHINGME.EXE
* WIMMUN32.EXE
* WINRECON.EXE
* WNT.EXE
* WrAdmin.EXE
* WRADMIN.EXE
* WrCtrl.EXE
* WRCTRL.EXE
* WSBGATE.EXE
* WYVERNWORKSFIREWALL.EXE
* XPF202EN.EXE
* zapro.EXE
* ZAPRO.EXE
* ZAPSETUP3001.EXE
* ZATUTOR.EXE
* ZAUINST.EXE
* ZONALM2601.EXE
* zonealarm.EXE
* ZONEALARM.EXE
Disabling Access to Antivirus Web Sites
This malware modifies the Windows HOST file so that any attempt to access the following antivirus Web sites is redirected to the local machine:
* avp.com
* ca.com
* customer.symantec.com
* dispatch.mcafee.com
* download.mcafee.com
* f-secure.com
* kaspersky.com
* liveupdate.symantec.com
* liveupdate.symantecliveupdate.com
* mast.mcafee.com
* mcafee.com
* my-etrust.com
* nai.com
* networkassociates.com
* rads.mcafee.com
* secure.nai.com
* securityresponse.symantec.com
* sophos.com
* symantec.com
* trendmicro.com
* update.symantec.com
* updates.symantec.com
* us.mcafee.com
* viruslist.com
* viruslist.com
* www.avp.com
* www.ca.com
* www.f-secure.com
* www.kaspersky.com
* www.mcafee.com
* www.my-etrust.com
* www.nai.com
* www.networkassociates.com
* www.sophos.com
* www.symantec.com
* www.trendmicro.com
* www.viruslist.com
Other Details
This worm terminates the following known malware processes:
* dllhost.exe
* msblast.exe
* mspatch.exe
* penis32.exe
* tftpd.exe
* winhlpp32.exe
* winppr32.exe
It is written in Microsoft Visual C++.
