Ads

W32.Beaker.A@mm PDF Print E-mail
Friday, 03 June 2005
W32.Beaker.A@mm is a mass-mailing worm that sends a copy of itself by email and overwrites files on infected computers. When W32.Beaker.A@mm runs, it does the following:

Copies itself as the following:

%Windir%Temp[5 random lower-case characters].exe
%Windir%System[5 random lower-case characters].exe
%System%[5 random lower-case characters].exe
%Windir%Fonts[5 random lower-case characters].exe


Notes:
%System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows (Windows 95/98/Me/XP)or C:Winnt (Windows NT/2000).


Adds the values:

"[5 random lower-case characters]" = "%Windir%System[5 random lower-case characters].exe"
"[5 random lower-case characters]" = "%Windir%system32[5 random lower-case characters].exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs every time Windows starts.


Adds the values:

"[5 random lower-case characters]" = "%Windir%Temp[5 random lower-case characters].exe"
"[5 random lower-case characters]" = "%Windir%Fonts[5 random lower-case characters].exe"

to the registry key:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs every time Windows starts.


Creates a file called %Windir%Temp6.log. This is a zip file that contains a copy of the worm.


Creates a file called %Windir%codm. This is a base64-encoded copy of the zip file mentioned in step 4.


Creates a file called %Windir%cts2. This file contains email addresses collected from the computer.


Overwrites some files with the following text:

-=breaKer_CUk-


Starts Internet Explorer with a JPEG image file located on the domain www.pornprone.com.


Sends itself to email addresses collected from the computer. The email has the following characteristics:

Subject:
(One of the following)

Re:FW:Es ist unm glich, es soviel ...:P zu sein, es zu sehen
Re:FW:Besserer Idiot des Jahres, um es zu sehen
Re:FW:Die schlechtere Sache des Jahres, um es zu sehen
Re:FW:Was wir immer ... wollten:), um es zu sehen
Re:FW:Weil das wert ist, es zu sehen
Re:FW:Es gibt kein Leben ohne Tod ...: (, um es zu sehen
Re:FW:Preis!:D, um es zu sehen
Re:FW:Hilfe bitte!:), um es zu sehen
Re:FW:Besser Witz des Jahres:), um es zu sehen
Re:FW:Besseres Foto des Jahres;), um es zu sehen
Re:FW: impossyvel su-lo tanto... :P, vu-lo
Re:FW:O mas idiota, vu-lo
Re:FW:O pior do ano, vu-lo
Re:FW:O que sempre quisemos... :). vu-lo
Re:FW:Pois vale. vu-lo
Re:FW:Nuo hs vida sem morte... :(, vu-lo
Re:FW:Prumio!!!! :D, vu-lo
Re:FW:Ajuda a ajudar-te... :), vu-lo
Re:FW:Melhor anedota do ano :),vu-lo
Re:FW:Melhor Foto do ano ;), vu-lo
Re:FW:impossibile a sia tanto... :P, vederlo
Re:FW:Idiot migliore dellanno, vederlo
Re:FW:La cosa pi?ettosa dellanno, vederla
Re:FW:Che cosa abbiamo desiderato sempre... :), vederli
Re:FW:(none)
Re:FW:Non ci vita senza morte... :(, vederla
Re:FW:Premio! :D, vederlo
Re:FW:Sussidio per favore! :), per vederlo
Re:FW:Scherzo migliore dellanno:), per vederlo
Re:FW:Foto migliore dellanno;), per vederla
Re:FW:It is impossible to be it as much... :P, to see it
Re:FW:Better idiot of the year, to see it
Re:FW:The worse thing of the year, to see it
Re:FW:What we always wanted...:), to see it
Re:FW:Because it is worth ,to see it
Re:FW:There is no life without death... :(, to see it
Re:FW:Prize! :D, to see it
Re:FW:Aid please! :), to see it
Re:FW:Better joke of the year:), to see it
Re:FW:Better Photo of the year;), to see it
Re:FW:Il est impossible d tre cela tant de ...:P, le voir
Re:FW:Le meilleur idiot de lannue, pour le voir
Re:FW:La chose plus mauvaise de lannue, pour le voir
Re:FW:Ce que nous voulions toujours... :), pour le voir
Re:FW:Parce quil vaut, le voir
Re:FW:Il ny a aucune vie sans mort... : (, pour le voir
Re:FW:Prix! :D, pour le voir
Re:FW:Aide sil vous plait! :), pour le voir
Re:FW:Mieux plaisanterie de lannue :), pour le voir
Re:FW:Meilleure Photo de lannue;), pour le voir
Re:FW:Es imposible serlo tanto... :P, miralo
Re:FW:Mejor chorrada del a o, miralo
Re:FW:Lo peor del a o, miralo
Re:FW:Lo que siempre quisimos... :). miralo
Re:FW:Pues vale. miralo
Re:FW:No hay vida sin muerte... :(, miralo
Re:FW:Premio!!!! :D, miralo
Re:FW:Ayudame a ayudarte... :), miralo
Re:FW:Mejor chiste del a o :),miralo
Re:FW:Mejor Foto del a o ;), miralo


Message body:
(One of the following)

Kaspersky-Antivirus.
Kein Virus Gefundenes
State:Ok

Symantec-Antivirus.
Noo Vyrus.
State:Ok

Symantec-Antivirus.
Nessun Virus Found.
State:Ok

Kaspersky-Antivirus.
No Virus Found.
State:Ok

F-Secure-Antivirus.
Aucun Virus Constat
State:Ok

Panda ActiveScan-Antivirus.
No se encontraron virus.
Estado:Ok


Attachment:
A zip file containing a copy of the worm. The file will have one of the following names:

Eskannnichtsein.zip
Kielraum2004.zip
Schlechter2004.zip
Daswarniewie das.zip
tatAutos.zip
Heiligtum.zip
ck.zip
Witz2004.zip
Foto2004.zip
opodeser.zip
tonto2004.zip
pior2004.zip
nuncafoiassim.zip
explodecarros.zip
metocou.zip
felicidade.zip
anedota2004.zip
foto2004.zip
stupido2004.zip
Peggiore2004.zip
utilizzadelleautomobili.zip
Santuario.zip
Lhotoccato.zip
Scherzo2004.zip
Itcannotbe.zip
Bilge2004.zip
Worse2004.zip
Itwasneverlikethat.zip
exploitscars.zip
Sanctuary.zip
Ihavetouched it.zip
Happiness.zip
Joke2004.zip
photo2004.zip
Renflement2004.zip
Plusmauvais2004.zip
Exploitedesvoitures.zip
Sanctuaire.zip
Bonheur.zip
Plaisanterie2004.zip
Photo2004.zip
nopuedeser.zip
pegote2004.zip
peor2004.zip
jamasfueasi.zip
rebientacoches.zip
santuario.zip
mehatocado.zip
felicidad.zip
chiste2004.zip


Related links
? More about Information
? News by Admin

Most-read story in Information:
Cisco CNS Network Registrar Denial of Service Vulnerability
 
< Prev   Next >
[ Back ]