マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Win32.HLLM.Graz.based

(W32/Feebs!rootkit, System error, TrojanDropper:Win32/Dunik!rts, TR/Crypt.XPACK.Gen, Worm.Win32.Feebs.lq, Worm:Win32/Feebs.gen!dll, Cryp_Upack, Trojan.Generic.74013, Worm/Feebs.IA, Worm/Feebs.GY, Worm.Win32.Feebs.a, Worm.Win32.Feebs.mi, Worm/Feebs.GA, TROJ_AGENT.OC, Worm/Feebs.BX.1, TROJ_HUPIGON.AVY, WORM_FEEBS.GE, JS/Kmax.1, Win32.Worm.Feebs.IC, Dropped:Trojan.Agent.Small.SVX, TrojanDownloader:Win32/Small.gen!M, WORM_FEEBS.IS, Backdoor.Bot.8886, TROJ_Generic.DIS, Worm.Win32.Feebs.V, Worm/Feebs.FE)

Virus description added:

Description:

Win32.HLLM.Graz – mass mailing worm

Spreading:

1.Via e-mail as the message with zip-file attachment. Example of text message: You have received Protected Mail from MSN.com user. This message is addressed personally for you. To decrypt your message use the following details:

ID: 25747 Password: qeopgelhk

Keep your password in a safe place and under no circumstances give it to ANYONE.

Protected Mail and instruction is attached. Best Regards,
Protected Mail System,
MSN.com

  • Zip-archive is attached with one of the following names: msg.zip
    message.zip
    data.zip
    mail.zip
  • Archive has a hta-file which contains encrypted virus body. The name of this file is composed of two randomly selected lines. The first line can be "Encrypted", "Protected", "Secure" or "Extended", and the second one can have the form of "Mail", "E-Mail", "Message" or "Html". While opening this file, COMMAND.EXE file is piled in the root of Disk C with further loading. Right away you’ll see the window which suggests to type in ID or the Password.
  • 2.Via ICQ

    It traces the traffic on the infected computer and gets UIN and the Password. It also gets the list of contacts for this given UIN. Users from the contact list get messages which contain hxxp://popcapfree.t35.com/ reference. This page suggests to download "universal key gun for PopCap games".

  • Possible message text:
    PopCap deluxe games absolutely free
    you like PopCap deluxe games?Play them free and no limited
    PopCap deluxe games without limit
    I see your drive C:
    you a hacked, look!
    this is your local drives?not a joke:))
  • 3.Http-server is created on the infected computer.
    You’ll get virus body in the hta-format while trying to download anything from there. It can also be packed in the zip-format –depending on the type of askable file.

  • Virus loading

    While loading the virus it copies its body to the %SystemRoot%\System32 folder under ms??.exe name and piles ms??32.dll file in the same folder. In order to provide autorun for its copy the cleared dll-file is registered in registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

    Actions

    It backtraces traffic on definite ports and according to protocols takes apart transmission for further password extraction (telnet, smtp, pop3, ftp, icq, irc, ...).
    Later this information is used for further virus spreading. For instance, message delivery through ICQ on behalf of the user by the whole contact list or infection of sites which have been accidentally updated through FTP. Contains control function of WebMoney Keeper program. Blocks access to those sites which has the following name-substrings:

    fsi
    vcatch
    feste
    norton
    resplendence
    softwin
    filseclab
    ntivi
    una
    panda
    free-av
    numentec
    adware
    trojan
    freeav
    phx.corporate-ir
    alwil
    agnitum
    frsirt
    secu
    avg
    altn
    gdata.de
    sina
    grisoft
    antiy
    grisoft
    skynet
    bitdef anvir
    iavs softbase
    clam
    asw
    iss
    sophos
    hbedv atdmt
    kasper
    spam esafe
    atwola
    lavasoft
    stocona
    aladdin
    avast
    mcafee
    symantec
    quickhea
    avp
    messagel
    trendmicro
    avgate
    awaps
    microsoft
    update
    tds3
    bitdefender
    msn
    viru
    onecare
    ca.com
    my-etrust
    webroot
    ahnlab
    drweb
    nai.com
    haker
    vnunet
    eset
    networkass
    spy
    virdet
    vnunet
    nod32
    itsafe
    avinfo
    fbi norman

  • The same list is used for complete blocking of the network access for applications by their names.
  • Completes services, deletes their info from registry. It also deletes from disk files which contain the following name-substrings:

    zonealarm
    dpf
    spfirewallsvc
    zapro
    xfilter
    sppfw
    ca
    leviathantrial
    kavpf
    vsmon
    looknstop
    sspfwtry2
    zlclient
    mpftray
    keypatrol
    pavfnsvr
    netlimiter
    s-wall
    avgcc
    npgui
    smc
    fsdfwd
    npfsvice
    umxtray
    dfw
    npfmsg
    persfw
    fireballdta
    npfc
    pccpfw
    fbtray
    ccapp
    tzpfw
    goldtach
    ccsetmgr
    xeon
    ipcserver
    ccevtmgr
    bullguard
    aws
    ccproxy
    bgnewsui
    jammer
    symlcsvc
    fw
    armorwall
    sndsrvc
    fwsrv
    armor2net
    opfsvc
    iamapp
    opf
    iamserv
    ipatrol
    blackd
    spfw

  • Virus contains several similar lists. In addition to firewalls there are also series of antiviruses, protection programs (anti-key loggers, anti-Trojans etc.), sessions monitoring etc.

    P2P-Worm function.

    Folders which contain "download", "upload", "incom", "share" in their names fill .zip archives with the following names:

    ICQ_2006
    winamp_5.2
    3dsmax_9_(3D_Studio_Max)
    ACDSee_9
    Adobe_Photoshop_10_(CS3)
    Adobe_Premiere_9_(2.0_pro)
    Ahead_Nero_8
    DivX_7.0
    Internet_Explorer_7
    Kazaa_4
    Microsoft_Office_2006
    Longhorn
    which have virus copy in websetup.exe file.

    Via tapping system API-functions this virus hides its process in the memory and its files on the disk.

    System Recovery References
    1.Load Windows in the Safe Mode
    2.Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Delete" to all files which were found.