Ads W32.Allim.A Wednesday, 27 April 2005 W32.Allim.A is a worm that spreads a variant of the W32.Spybot.Worm through America Online Instant Messenger (AIM). Type: Worm Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Allim.A is executed, it performs the following actions: Sends the following message to all the AIM contacts on the compromised computer: Body: hey check out this! Notes: Where "this!" is a link to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php A recipient must click on the link "this!", download the file [email address], and then execute the file. The file is downloaded as [email address] (the default email address as set in Internet Explorer) and is a variant of W32.Spybot.Worm. Copies the W32.Spybot.Worm variant as %System%winimsg.exe. Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Adds the value: "Windows iMessenger Messenger" = "winimsg.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion RunServices HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa so that the W32.Spybot.Worm variant runs every time Windows starts. Modifies the values: "DisableRegistryTools" = "0x31" "DisableTaskMgr" = "0x31" in the registry subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem so that the registry editing tools and task manager are disabled. The W32.Spybot.Worm variant can perform any of the following actions: Open a back door on the compromised computer allowing a remote attacker to have unauthorized access. Attempt to terminate processes and services. Use the compromised computer as a traffic relay or proxy. To delete the value from the registry Click Start > Run. Type regedit Click OK. Navigate to the subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurretVersion RunServices HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa In the right pane, delete the value: "Windows iMessenger Messenger" = "winimsg.exe" Navigate to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion PoliciesSystem In the right pane, delete the value: "DisableRegistryTools" = "0x31" "DisableTaskMgr" = "0x31" Exit the Registry Editor   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.