Ads W32.Loxbot.D Saturday, 07 January 2006 W32.Loxbot.D is a worm that opens a back door on the compromised computer allowing a remote attacker to issue various commands and spreads using AOL Instant Messenger. The worm also uses rootkit capabilities to hide its process in memory. Type: Worm Infection Length: 43,520 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Damage Payload Trigger: n/a Payload: Opens a back door and allows a remote attacker to have unauthorized access to the compromised computer. Large scale e-mailing: n/a Deletes files: n/a Modifies files: n/a Degrades performance: Propagation may degrade network performance and resources. Causes system instability: n/a Releases confidential info: n/a Compromises security settings: Ends services which may be security related. Distribution Subject of email: n/a Name of attachment: n/a Size of attachment: n/a Time stamp of attachment: n/a Ports: TCP port 1751 Shared drives: n/a Target of infection: AOL Instant Messenger When W32.Loxbot.D is executed, it performs the following actions: Copies itself as %System%lockbar.exe. Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Adds the value: "freexstyle" = "lockbar.exe" to the registry subkeys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun so that it runs every time Windows starts. Modifies the value: "EnableFirewall" = "0" in the registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess ParametersFirewallPolicyStandardProfile to disable the Windows Firewall. Drops and executes the file C:xz.bat to disable the following services: Windows Security Center SharedAccess Windows Firewall/Internet Connection Sharing (ICS) Installs the driver %System%msdirectx.sys (Detected as Hacktool.Rootkit) Creates a service for the driver with the following properties: Service Name: msdirectx Display Name: msdirectx Opens a back door and contacts the IRC server irc.q8devils.com through TCP port 1751 allowing a remote attacker to perform any of the following actions: Disconnect or reconnect to the server Download and execute files Flush DNS cache Generate a new random nickname Update itself with a new version of the worm Sends a link that contains a copy of the worm to all the online AOL Instant Messenger contacts on the compromised computer. To delete the value from the registry: Navigate to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunServices HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun In the right pane, delete the value: "freexstyle" = "lockbar.exe" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.