Ads W32.Nodmin@mm Sunday, 23 January 2005 W32.Nodmin@mm is a mass-mailing worm that alters computer settings and spreads via file sharing networks. The worm also attempts to lower security settings by terminating and disabling various anti-virus and security related programs. This threat is written in Visual Basic. Type: Worm Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Nodmin@mm is executed, it performs the following actions: Display an alert box with the following message: The file is either in unknow format or damaged! Copies itself to: %System%kbdbg.exe %System%gHacKeR$.exe %System%mymind.exe %System%open.exe %System%Q-We are the champions.exe %System%Microsoft SuxX.exe %Windows%winserv.ila C:free01.exe C:Documents and SettingsAll UsersStart MenuProgramsStartupsservice.ila C:Documents and SettingsAll UsersStart MenuProgramsStartuplservice.exe Notes: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows (Windows 95/98/Me/XP)or C:Winnt (Windows NT/2000). Adds the value: "Winserv" = "%Windows%Winserv.ila" to the following registry keys: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices so that it runs every time when Windows starts. Adds the value: "System" = "%Windows%Winserv.ila" "LegalNoticeCaption" = ":: My Message :"" "LegalNoticeText" = "FREE THE BULGARIAN MEDICS IN LIBYA" to the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon so that it runs every time when Windows starts. Downloads and executes Trojan.Mindos from the following domain: http:/ /freewebs.com/tornadotm/ Terminate the following antivirus software and other security processes: AckWin32.EXE ADVXDWIN.EXE AGENTSVR.EXE agentw.EXE AMON9X.EXE ANTI -TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APVXDWIN.exe ATRO55EN.EXE AVENGINE.exe AVGSERV.EXE AVGSERV9.EXE AVGUARD.EXE AVGW.EXE avkpop.EXE AvkServ.EXE avkservice.EXE avkwctl9.EXE AVP.EXE AVP32.EXE AVPCC.EXE avpm.EXE Avsched32.EXE AVXMONITORNT.EXE AVXQUAR.EXE ccProxy.exe cmd.com command.com firewall.exe Flashget.exe FP -WIN_TRIAL.EXE FRW.EXE fsaa.EXE FSAV.EXE fsav32.EXE FSAV530STBYB.EXE FSAV95.EXE fsgk32.EXE fsm32.EXE hl.exe iexplore.exe IFACE.EXE JAMMER.EXE JEDI.EXE Kaiowas.exe KAVPF.EXE KERIO -PF - 213 - EN - WIN.EXE KILLPROCESSSETUP161.EXE LDNETMON.EXE LDPRO.EXE LDPROMENU.EXE LDSCAN.EXE LOCALNET.EXE LOCKDOWN.EXE lockdown2000.EXE LSETUP.EXE LUALL.EXE LUAU.EXE LUCOMSERVER.EXE LUINIT.EXE LUSPT.EXE MCAGENT.EXE MCUPDATE.exe mirc.exe Monitor.EXE MOOLIVE.EXE MPFAGENT.EXE MPFSERVICE.EXE MPFTRAY.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE MWATCH.EXE NAV80TRY.EXE navapsvc.exe NAVAPSVC.EXE navapw32.exe NAVAPW32.EXE NAVDX.EXE NAVLU32.EXE NAVSTUB.EXE Navw32.EXE NAVWNT.EXE NC2000.EXE NCINST4.EXE NDD32.EXE NEOMONITOR.EXE NeoWatchLog.EXE nero.exe NETARMOR.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NORMIST.EXE notepad.exe notstart.EXE NPFMESSENGER.EXE NPROTECT.EXE npscheck.EXE NPSSVC.EXE NSCHED32.EXE ntrtscan.EXE NTVDM.EXE NTXconfig.EXE Nui.EXE NUPGRADE.exe Nupgrade.EXE NVARCH16.EXE NVC95.EXE nvsvc32.EXE NWINST4.EXE NWService.EXE NWTOOL16.EXE OSTRONET.EXE OUTPOST.EXE OUTPOSTINSTALL.EXE panda.exe pavProxy.exe pavsrv50.exe pccwin97.EXE PCCWIN98.EXE PCDSETUP.EXE PCFWALLICON.EXE PCIP10117_0.EXE pcscan.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PERSWF.EXE PF2.EXE PFWADMIN.EXE PINGSCAN.EXE PLATIN.EXE POP3TRAP.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PORTMONITOR.EXE PPINUPDT.EXE PPVSTOP.EXE PROTECTX.EXE PSPF.EXE PURGE.EXE QCONSOLE.EXE QSERVER.EXE rapapp.EXE RAV7.EXE SWEEPSRV.SYS SWNETSUP.EXE SymProxySvc.EXE SYMTRAY.EXE SYSEDIT.EXE TASKMON.EXE TAUMON.EXE TC.EXE TDS-3.EXE TFAK.EXE TFAK5.EXE TITANIN.EXE toolkit.exe winamp.exe word.exe ZATUTOR.EXE ZONALM2601.EXE ZONEALARM.EXE Adds the following lines to the Hosts file (%System%driversetchosts) and to a file called C:WINNThosts, preventing communication with some network security sites: 127.0.0.1 www.avp.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.symantec.com 127.0.0.1 networkassociates.com 127.0.0.1 secure.nai.com 127.0.0.1 sophos.com 127.0.0.1 downloads1.kaspersky - labs.com 127.0.0.1 downloads2.kaspersky -labs.com 127.0.0.1 downloads3.kaspersky -labs.com 127.0.0.1 downloads4.kaspersky -labs.com 127.0.0.1 downloads -us1.kaspersky - labs.com 127.0.0.1 downloads -eu1.kaspersky - labs.com 127.0.0.1 kaspersky -labs.com 127.0.0.1 www.networkassociates.com 127.0.0.1 us.mcafee.com 127.0.0.1 f -secure.com 127.0.0.1 avp.com 127.0.0.1 www.sophos.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 mast.mcafee.com 127.0.0.1 www.nai.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 www.my -etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 updates.symantec.com 127.0.0.1 kaspersky.com 127.0.0.1 mtel.bg 127.0.0.1 data.bg 127.0.0.1 google.com 127.0.0.1 www.trendmicro.com 127.0.0.1 viruslist.ru Changes the registry keys for the following extensions, so there is no application associated with them. HKEY_CLASSES_ROOT[extension](default) = "" .ade .adp .bas .bat .chm .cmd .com .cpl .crt .dll .exe .hlp .hta .isp .js .jse .lnk .ila .mdb .mde .msc .msi .msp .mst .ocx .pcd .pif .pot .ppt .reg .scr .sct .shb .shs .sys .url .vb .vbe .vbs .wsc .wsf .wsh .vbp .doc .xsl .asp .zip .rar .txt .mp3 Lowers security settings by modifying the following registry keys: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion PoliciesSystemDisableTaskMgr = 1 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion PoliciesExplorerDisallowRun = regedit.exe HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem DisableCMD = 1 HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT SystemRestoreDisableConfig = 1 HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT SystemRestoreDisableSR = 1 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Internet Settingsones31803 = 3 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Internet Settingsones31804 = 1 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Internet Settingsones41803 = 3 HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Internet Settingsones41804 = 1 HKEY_CURRENT_USERSoftwareMicrosoftOutlook Express5.0 MailWarn on Mapi Send = 0 Create the following non-malicious data files: C:index.htm C:mymesg.txt %Windows%sysilani.ini Searches for installed file sharing applications by checking for the following folders: eMuleIncoming ICQ File ShareShare AresMy Shared Folder eDonkey2000Incoming KazaaMy shared folder Kazaa Lite K++ Kazaa Lite K++My shared folder If present, it will copy itself into these folders with the following file names: Winamp Final 5.11.exe Hotmail_hack.exe Google_hacks.exe WinRar.exe Windows_Xp_Key_gen.exe Tornado_TM.exe ILAni.exe ftp hack.exe windows exploit.exe winxp_hack.exe Hacker.exe Microsoft Suckers.exe Apache.exe Php_nuke.exe C++ compile.exe winamp crack 5.12.exe Flashget crack.exe mail.exe friends.exe aladin.exe super mario.exe super pang.exe Kaiowas hack.exe web hack.exe mail exploit.exe Yu-Gi-Oh.exe Yu-Gi-Oh cards.exe Batman.exe Windows2003Keygen.exe Norton AntiVirus 2004 Patch.exe Pokemon Colosseum No-CD.exe SecureCRTPatch.exe Splinter Cell Pandora No-CD.exe Star Chamber No-CD.exe Sub7 Gold.exe Unreal Tournament 2004 No-CD.exe VB6 KeyGen.exe WinAmp5 Crack.exe WinXPKeyGen.exe WinZip.exe Uses the Outlook MAPI to send itself to all the email addresses from the addressbook. The e-mail has the following properties: From: (spoofed) Subject: (one of the following) Re: RE:Re Re:Windows Update Re:Details Re:Answer Re:Question Re:ICQ Password Warning!!! Free Handy Ringtones Green Card? Check this! Winxp problem winxp error Help me! Hi,baby Details Important Top secret Interesting Funny Stories Free GSM Ring Composer Free SMS Center failure notice New friend See My New Flat Free GSM Screens Wallpaper Message Body: (one of the following) See this photo, have fun and phone me :)))!!! This picture is for you.Have fun :)) {} Hi, Can you help me. For Details see the attached file. 10x ... See my report! Send me back your opinion Read my answer. Check the attachment Please read the attachment and call me. I am sure that this will help you. Whats up ? I dont have time for chatting this week, but you can call me. I have forgotton my ICQ password and i try to check about it but it has an error on icq page. Please check the attached file. If you fix the error, plese send me mail. 10x For Fun see the attachment.. and give me your opinion See the Flash animation!!! Get your free ringtones Its not only for Nokia :) Have you seen whether you win a green card? I find this very interesting... Try its a funny game :) [] Hello, It makes fun :]]]] I have a very big problem with my OS Can you help me? Check the attachment. Windows fatal error Please check this error I have a very big problem Can you help me See the attachment Read this interesting news info :) I love you and this fun story too :) Check this if you want a new job For details see the attached file This file include your full bank information I think you must call the police See this - UFO top secret info Read this funny story :)) GSM Ring Composer for your Handy... Just try Free SMS Center - check the attached file. mail error 233 See my new friend We have a new flat See the photos Attachment: (one of the following) photo.pif pic.pif winupdate.asp?=072344.pif details.htm.pif answer.txt.exe attachment.doc.exe secret_att.zip.exe old_password.htm?=7658754322btgisx.pif attachment.scr warning.exe ringtones.exe checkgcard.exe check.exe problem.txt.exe error.txt.exe problem.htm.exe fun.htm.scr details.php.pif important.mdb.exe news.index.htm.exe fun.php?id=8727277732323.scr funstories.php?id=087457685bcxd?9283.scr hotringtones.jsp?=00d7uxnn3.pif smscenter.php?index!&%230000.scr error.exe photos.zip.pif flat.jpg.pif handy_matrix_screen.scr wallpaper0023.jpg.scr Checks for the presence of a folder called www or php and create the follwing files with a .html message inside: index.htm index.asp index.php Checks the following folders for an installed mIRC client and overwrite the script.ini file so that the worm will send itself using DCC, the name BigBrother.exe and the message "If you are BigBrother Fan :P Look this clip;)": C:Program FilesmIRCscript.ini C:Program FilesmIRC32script.ini C:mIRCscript.ini C:mIRC32script.ini   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.