W32.Dranyam :(Worm)


Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

When the worm is executed, it creates the following files:

* %UserProfile%\Administrator\Desktop\hi.txt
* %Windir%\Help\services.exe
* %Windir%\Help\svchost.exe
* %DriveLetter%\autorun.inf
* %DriveLetter%\MarcMaynard.exe



Next, it creates the following registry subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}


It then creates the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\"StubPath" = "C:\WINDOWS\Help\svchost.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\"StubPath" = "C:\WINDOWS\Help\services.exe"
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "«×¤‡ M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð ‡¤×»"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\INF\snd\9406607\"Copy of 1.exe" = "Copy of 1"



It also modifies the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "userinit.exe,services.exe"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "0"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"



It modifies the following registry entry so that it changes the browser home page:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð"

It also copies itself as the following file on all the drives of the compromised computer:
%DriveLetter%\MarcMaynard.exe

The worm then creates the following file on each drive so that it executes whenever the drive is accessed:
%DriveLetter%\autorun.inf

Symantec.com

Share/Bookmark
Vidhu
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About This Site

Ebugg-i help you to learn and discover new technology, news, reviews, Tutorials, how to, threat alerts and other security
information, Network Testing tools. - www.mydigg.in

Our sites
http://network-speed.com
http://imygs.com

Blog Archive