Email-Worm.Win32.Salga.a

Jest to robak rozprzestrzeniaj膮cy si臋 przez Internet jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail, za po艣rednictwem sieci wymiany plik贸w P2P oraz przy u偶yciu dost臋pnych zasob贸w sieciowych i kana艂贸w IRC. Ma posta膰 pliku PE EXE o rozmiarze oko艂o 36 KB (kompresja MEW, rozmiar po rozpakowaniu - oko艂o 307 KB). Szkodnik wyposa偶ony jest w procedur臋 backdoor.

Instalacja

Po uruchomieniu robak kopiuje si臋 do foldera startowego z nazw膮 egy~1.exe:

C:Documents and SettingsAll UsersStart MenuProgramsStartupegy~1.exe

Nast臋pnie szkodnik tworzy kilka folder贸w i umieszcza w nich w艂asne kopie:

%ProgramFiles%AccessoriesBRITNY SPEARS MARRAGE.zip.exe
%ProgramFiles%AccessoriesDetails of new friends.zip.exe
%ProgramFiles%AccessoriesDetails.zip.exe
%ProgramFiles%Accessorieshard sex files.zip.exe
%ProgramFiles%AccessoriesIs Bnladen realy cow boy.zip.exe
%ProgramFiles%Accessorieskasper2005.zip.exe
%ProgramFiles%AccessoriesNicole Kidman.zip.exe
%ProgramFiles%mircBritny spears marriage with Bnladen son.zip.exe
%ProgramFiles%mirc32Britny spears marriage with Bnladen son.zip.exe
%Windir%acdsee demo.exe
%Windir%All UsersDesktopsex camsex photoes of monika.zip.exe
%Windir%All UsersStart MenuProgramsStartUpana~1.exe
%Windir%Start Menuinter net speeder.zip.exe
%Windir%start menuprograms
ew chat prog.zip.exe
%Windir%systemsystem copy.exe
%Windir%system32egywormo[gen1].exe
C:Britny spears marrage with Bnladensun.zip
C:BritnyNEW FILM.ZIP.EXE
C:Documents and SettingsAll UsersDESKTOPholywood stuff film.zip.exe
C:Documents and SettingsAll UsersStart Menu
icole kidman sexy cam.zip.exe
C:Documents and SettingsAll UsersStart MenuProgramsAccessoriesmagic graphices maker.zip.exe
C:Documents and SettingsAll UsersStart MenuProgramsyour sexy cam.zip.exe
C:hard core hook from websetup.zip.exe
D:FUN.ZIP.EXE
D:girlfriends emails.zip.exe
D:hook all sex movies from webssetup.zip.exe
E:lood of fetch sex.zip.exe
E:Messenger 9.00.ZIP.EXE
E:
eal sex telephonesme.zip.exe

Szkodnik tworzy w rejestrze klucze auto-run, co zapewnia mu uruchamianie wraz z ka偶dym startem systemu operacyjnego:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"system xp" = "%Windir%acdsee demo.exe"
"windows" = "%Windir%systemsystem copy.exe"

Dodatkowo robak tworzy nast臋uj膮ce klucze rejestru:

[HKEY_CURRENT_USERSoftwareKazaaTransfer]
"StartKazaa -SilentRun" = "%ProgramFiles%KazaaMy Shared FolderShared"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerShares]
"Britny"

Rozprzestrzenianie - poczta elektroniczna

Adresy potencjalnych ofiar pobierane s膮 z ksi膮偶ki adresowej programu MS Outlook.

Charakterystyka zainfekowanych wiadomo艣ci e-mail

Podczas ka偶dego uruchomienia procedury rozprzestrzeniaj膮cej robak wysy艂a dwie zainfekowane wiadomo艣ci e-mail - jedn膮 do swojego autora i drug膮 do potencjalnej ofiary.

Wiadomo艣ci wysy艂ane do autora robaka

  • Adres odbiorcy:
    mgasalgya_4ever@hotmail.com

  • Temat (wybierany z poni偶szych mo偶liwo艣ci):
    Sir new victem
    Egywormo give her sir email of victem
    

  • Tre艣膰:
    Hi:sir i'm your server Egywormo[gen1] this is new victem 
    who has own outlook machine i caputre his contacts and go 
    there to infect them.... ok i'll go now and see you soon 
    when i infect more ......bibi sir 
    
    

Wiadomo艣ci wysy艂ane do potencjalnych ofiar

  • Temat (wybierany z poni偶szych mo偶liwo艣ci):
    Nicole kidman secrets 
    BRITNY SPEARS MARRAGE 
    Is Bnladen realy cow boy 
    To contact new friends 
    Chance for holyday 
    New version of kasper fire wall 
    SEXY FILES
    
  • Tre艣膰 (wybierana z poni偶szych mo偶liwo艣ci):
    Hi,this is secret files of Nicole Kidman contain her sexy photoes 
    in Florida,her credits ,part of her new film {Bn-laden days} and her 
    telephones numers with here email.....see it and replay us please 
    ..... it is very interesting secret files ..bibi
    
    Hi,this is secret files of Britny spears contain her 
    marrage photoes intexas,part of her marrage party and 
    her reactions about madona.....see it and replay us 
    please ..... it is very interesting secret files ..bibi
    
    Hi: mr or miss some amricans say befor 20 yrs Bnladen 
    was cow boy these photoes and parts of vidioes prove it 
    photos and vedioes in attachement file If u you want to 
    have anice holyday you must call us at this adress USA MITCHGEN and 
    we will give greate offer details in this attachment
    
    Hi:miss or mr you can contact new friends  all ever the world 
    deatails in attachmment file this is the new update and last 
    version of kasper fire wall it contains more and new advantages 
    This attachmment contain very hard sexy photos with part of 
    sexy films interest and replay us
    
    Hi;this is some photoes of Britney Spears marrage with Bnladen 
    son in flash file so if the winzip file not run you must 
    change the extention to exe to execute it
    
  • Nazwa za艂膮cznika:
    Britny spears marrage with Bnladensun.zip

Rozprzestrzenianie - sieci P2P oraz sieci lokalne

Robak tworzy w艂asne kopie we wszystkich dost臋pnych folderach, kt贸rych nazwy zawieraj膮 s艂owo share. Kopie te mog膮 posiada膰 nast臋puj膮ce nazwy:

Britny spears and Madona sex viedio in 24 min only.zip.exe 
Iraq war.zip.exe 
last messengers versions.zip.exe 
learn photo shop in 3 days only.zip.exe 
new cupied photos.zip.exe 
new girls emails with there phone numbers.zip.exe 
strong fire wall allover the world with thelast update of norton.zip.exe 
USA discvered water in mars yesterday.doc.zip.exe

Dodatkowo robak kopiuje si臋 z poni偶szymi nazwami do foldera %ProgramFiles%KazaaMy Shared FolderShared:

)..zip.exe
[SWF] - Harry Potter and the philosophers
[SWF] - Swordfish.exe
[SWF] - The Fast and the Furious.zip.exe
3d msn version 10.1.zip.exe
3dstoudio.zip.exe
animal photos.zip.exe
anti virus.zip.exe
antibiotics.zip.exe
aol.zip.exe
autocade.zip.exe
big one in the world.zip.exe
Britny Spears.zip.exe
Cat attacks child.zip.exe
cocacola.zip.exe
Comedy video.zip.exe
computers in 2010.zip.exe
deutsh programs.zip.exe
Dracola.zip.exe
FBI secrets.zip.exe
fear.zip.exe
fire wall.zip.exe
FlashMovie.zip.exe
FOOTBALL IN ENGLAND.zip.exe
Game_Crack_Genie_v0.5.zip.exe
hack.zip.exe
hard core.zip.exe
huge sexy brests program v 1.7.00.zip.exe
i robot.zip.exe
lesbien.zip.exe
MacroMedia Flash 6.0.zip.exe
mirc.zip.exe
ms games.zip.exe
MsDos_PortScanner.zip.exe
new film.zip.exe
news paper.zip.exe
news.zip.exe
norton 2005.zip.exe
office 2005.zip.exe
pebsi.zip.exe
photo shop.zip.exe
scince of water.zip.exe
sex plus.zip.exe
Shockwave Flash.zip.exe
Simpsons Episode (#
songs.zip.exe
ssPamela_Anderson_(Naked Screen Saver).scr.exe
ssParis_Hilton_(Nude Screen Saver).scr.exe
stone.zip.exe
SWF.zip.exe
SWF_Movie.zip.exe
this files is very secret files.zip.exe
tourism.zip.exe
TOY 2006.zip.exe
Tutorial Video on Hacking.exe
USA secrets.zip.exe
viagra.zip.exe
Virtual_3D_Pinball.zip.exe
virus.zip.exe
visual basic projects.zip.exe
Win32System_Tweaks_v1.0.zip.exe
Wmplayer_Celebrity_Skins.zip.exe
wwf.zip.exe
xxl plus.zip.exe
XXX video.zip.exe
yahoo.zip.exe

Ponadto szkodnik kopiuje si臋 z poni偶szymi nazwami do zasob贸w sieciowych:

admin$system32see this it is very intersting.zip.exe
C$documment and settingsall usersdocumentssecret documents.zip.exe
C$money generator very dengerous and secrt.zip.exe
C$sharedmy sallary every mmonth increaser.exe
C$windowssystem32pass word of hotmail store.zip.exe
C$winntsystemm32speial films links in net.zip.exe
ipc$secret photoes from my chat.zip.exe

Rozprzestrzenianie - kana艂y IRC

Robak modyfikuje skrypty:

%ProgramFiles%mIRCscript.ini 
%ProgramFiles%mIRC32script.ini

co pozwala mu na rozsy艂anie w艂asnych kopii do u偶ytkownik贸w przy艂膮czaj膮cych si臋 do kana艂u IRC, na kt贸rym znajduje si臋 zainfekowany komputer. Kopia szkodnika wysy艂ana jest pod nazw膮:

Britny spears marriage with Bnladen son.zip.exe

Funkcja dodatkowa

Robak otwiera na zainfekowanym komputerze nast臋puj膮ce strony WWW:

http://a7meedye.jeeran.com/counter.htm 
www.hotmail.com 
www.hotmmail.com 
www.new chat.net 
http://www.originalicons.com/?oi=funnyphotos.php?emailfrom=
mgasalgya_4ever@hotmail.com!pi%20c=woman.jpg#topofpage 
W32/Generic.a@MM (McAfee),   W32.Salga.A@mm (Symantec),   Win32.HLLW.Generic.95 (Doctor Web),   WORM_SALGA.A (Trend Micro),   Worm/Salga.A (H+BEDV),   W32/Salga.A@mm (FRISK),   Worm.Mydoom.AD (ClamAV),   W32/Salga.A.worm (Panda),   Win32/Salga.A (Eset)