Ads

W32.Picrate.B@mm PDF Print E-mail
Monday, 18 April 2005
W32.Picrate.B@mm is a worm that sends copies of itself to instant messenger contacts and drops a variant of W32.Spybot.Worm.

Type: Worm
Infection Length: 290,611 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Picrate.B@mm is executed, it performs the following actions:



Opens the following URL in the default browser:


www.[domain removed].com/forums/LOL-AlbinoGorrilla.jpg


Drops the following files:


%System% etstat.com (a corrupt executable file)
%System%ping.com (a corrupt executable file)
%System% racert.com (a corrupt executable file)
%System% asklist.com (a corrupt executable file)
%System% askkill.com (a corrupt executable file)
%System% egedit.com (a corrupt executable file)
%System%cmd.com (a corrupt executable file)
%System%wini.exe (a copy of the W32.Spybot.Worm variant)
%System%xtc.tmp (a copy of the worm)
%System%Download.zip (a Zip archive of the worm)
%System%szip.dll (a legitimate DLL used to handle Zip archives)
%System%ANSMTP.DLL (a legitimate DLL used for mail functionality)

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Creates the following registry keys with the installation of ANSMTP.DLL:


HKEY_CLASSES_ROOTANSMTP.OBJ.1
HKEY_CLASSES_ROOTANSMTP.OBJ
HKEY_CLASSES_ROOTANSMTP.MassSender.1
HKEY_CLASSES_ROOTANSMTP.MassSender
HKEY_CLASSES_ROOTCLSID{253664FB-EDFC-4AC6-BD69-B322F466AEED}
HKEY_CLASSES_ROOTCLSID{887A577B-406B-48FF-80CB-70752BFCD7B4}
HKEY_CLASSES_ROOTTypelib{DE6317F7-6EF0-45C2-88D1-8E09415817F1}
HKEY_CLASSES_ROOTInterface{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
HKEY_CLASSES_ROOTInterface{1E98666F-6260-42C9-B846-32B20fDEFE7B}
HKEY_CLASSES_ROOTInterface{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
HKEY_CLASSES_ROOTInterface{B13281CF-8778-4C98-AE23-ABBA4637A33D}


Gathers email addresses from the Yahoo! Messenger and MSN Messenger contact lists.


Mails itself as an attachment to the email addresses it has gathered with one of the following subject and message body combinations:

Subject: Hehehe LOL!!
Message Body: I just saw this on my computer from a while ago

download it and see if you can remember ;)

lol i was lauging like crazy when i saw! :D

email me back hehe...

Subject: Your Photo Is On A Webpage!!
Message Body: I was veiwing this website and came across

a picture they look just like you! infact im sure

it is haha , did you email this pic into them ? or

is it someonce elses that looks like you :S ? pic is attached

in zip file so download it and see then email me back!

Subject: Hey Rate My Pic Plz...
Message Body: Hi ive sent out 4 emails now & nobody will rate

my photo! :( please download and tell me your opinion

rated out of 10 , its ok if you dont like it

just say i wont be offended p.s i was drunk when

it was taken haha :)

Subject: Someone Admires You!
Message Body: Someone has asked us on there behalf to send

you this email and tell you they think you are

Amazing!! All the The secret persons details

you need are enclosed in the attachment :)

please download and respond telling us if you

would like to make further contact with this

person.


Regards Hallmark Admirers Admin.

Attachment:


IMG_001.scr
Sexy_02.scr
Scanned_03.scr
Photo_01.pif
Admirer_005.scr
Your_pic.scr
Lover_01.scr
Just_For_You.pif


Executes the file wini.exe, which is a copy of the W32.Spybot.Worm variant.


Adds the value:

"IE Runtime" = "wini.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa

so that the W32.Spybot.Worm runs every time Windows starts.


Modifies the value:

"EnableDCOM" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE

to disable DCOM.


Modifies the value:

"restrictanonymous" = "1"

in the registry subkey:

HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa

to restrict anonymous access to network shares.

Copies W32.Spybot.Worm as %System%wini.exe.

Contacts an IRC server at paris-hack.com on TCP port 8080 for instructions.


To delete the value from the registry
Click Start > Run.

Type regedit

Click OK.

Navigate to the subkeys:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa

In the right pane, delete the value:

"IE Runtime" = "wini.exe"

Delete the following registry subkeys if they are present:

HKEY_CLASSES_ROOTANSMTP.OBJ.1
HKEY_CLASSES_ROOTANSMTP.OBJ
HKEY_CLASSES_ROOTANSMTP.MassSender.1
HKEY_CLASSES_ROOTANSMTP.MassSender
HKEY_CLASSES_ROOTCLSID{253664FB-EDFC-4AC6-BD69-B322F466AEED}
HKEY_CLASSES_ROOTCLSID{887A577B-406B-48FF-80CB-70752BFCD7B4}
HKEY_CLASSES_ROOTTypelib{DE6317F7-6EF0-45C2-88D1-8E09415817F1}
HKEY_CLASSES_ROOTInterface{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
HKEY_CLASSES_ROOTInterface{1E98666F-6260-42C9-B846-32B20fDEFE7B}
HKEY_CLASSES_ROOTInterface{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
HKEY_CLASSES_ROOTInterface{B13281CF-8778-4C98-AE23-ABBA4637A33D}

Navigate to the subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLE

In the right pane, reset the value:

"EnableDCOM" = "N"

Navigate to the subkey:

HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa

In the right pane, reset the value:

"restrictanonymous" = "1"

Exit the Registry Editor.
 
< Prev   Next >
[ Back ]