Ads W32.Protoride.B Wednesday, 29 December 2004 W32.Protoride.B is a worm that spreads through network shares and opens a back door that allows unauthorized access to a compromised computer. When W32.Protoride.B runs, it does the following: Adds the value: "Windows Taskbar Manager" = "[path to worm executable]" to the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun so that the worm runs every time Windows starts. Attempts to access the $IPC share of any available network drive that it can connect to using the privileges of the logged-in user. Copies itself as one of the following files: internat.exe comands.exe to any of the following directories on all the local and shared drives: \Documents and SettingsAll UsersKuynnistu-valikkoOhjelmatKuynnistys \Documents and SettingsAll UsersMenu AvvioProgrammiEsecuzione automatica \Documents and SettingsAll UsersMenu DumarrerProgrammesDumarrage \Documents and SettingsAll UsersMenu IniciarProgramasIniciar \Documents and SettingsAll UsersMenu InicioProgramasInicio \Documents and SettingsAll UsersMenu StartProgrammasOpstarten \Documents and SettingsAll UsersMenu StartProgramyAutostart \Documents and SettingsAll UsersMenuen StartProgrammerStart \Documents and SettingsAll UsersStart MenuProgramlarBASLANGI \Documents and SettingsAll UsersStart MenuProgramsStartUp \Documents and SettingsAll UsersStart-menyProgrammerOppstart \Documents and SettingsAll UsersStart-menynProgramAutostart \Dokumente und EinstellungenAll UsersStartmenuProgrammeAutostart \WIN95Kuynnistu-valikkoOhjelmatKuynnistys \WIN95Menu AvvioProgrammiEsecuzione automatica \WIN95Menu DumarrerProgrammesDumarrage \WIN95Menu IniciarProgramasIniciar \WIN95Menu InicioProgramasInicio \WIN95Menu StartProgrammasOpstarten \WIN95Menu StartProgramyAutostart \WIN95Menuen StartProgrammerStart \WIN95Start MenuProgramlarBASLANGI \WIN95Start MenuProgramsStartUp \WIN95Start-menyProgrammerOppstart \WIN95Start-menynProgramAutostart \WIN95StartmenuProgrammeAutostart \WIN98Kuynnistu-valikkoOhjelmatKuynnistys \WIN98Menu AvvioProgrammiEsecuzione automatica \WIN98Menu DumarrerProgrammesDumarrage \WIN98Menu IniciarProgramasIniciar \WIN98Menu InicioProgramasInicio \WIN98Menu StartProgrammasOpstarten \WIN98Menu StartProgramyAutostart \WIN98Menuen StartProgrammerStart \WIN98Start MenuProgramlarBASLANGI \WIN98Start MenuProgramsStartUp \WIN98Start-menyProgrammerOppstart \WIN98Start-menynProgramAutostart \WIN98StartmenuProgrammeAutostart \WINDOWS.000Menu IniciarProgramasIniciar \WINDOWS.000Menu InicioProgramasInicio \WINDOWS.000Start MenuProgramsStartUp \WINDOWS.000StartmenuProgrammeAutostart \WINDOWSKuynnistu-valikkoOhjelmatKuynnistys \WINDOWSMenu AvvioProgrammiEsecuzione automatica \WINDOWSMenu DumarrerProgrammesDumarrage \WINDOWSMenu IniciarProgramasIniciar \WINDOWSMenu InicioProgramasInicio \WINDOWSMenu StartProgrammasOpstarten \WINDOWSMenu StartProgramyAutostart \WINDOWSMenuen StartProgrammerStart \WINDOWSStart MenuProgramlarBASLANGI \WINDOWSStart MenuProgramsStartUp \WINDOWSStart-menyProgrammerOppstart \WINDOWSStart-menynProgramAutostart \WINDOWSStartmenuProgrammeAutostart \WINMEKuynnistu-valikkoOhjelmatKuynnistys \WINMEMenu AvvioProgrammiEsecuzione automatica \WINMEMenu DumarrerProgrammesDumarrage \WINMEMenu IniciarProgramasIniciar \WINMEMenu InicioProgramasInicio \WINMEMenu StartProgrammasOpstarten \WINMEMenu StartProgramyAutostart \WINMEMenuen StartProgrammerStart \WINMEStart MenuProgramlarBASLANGI \WINMEStart MenuProgramsStartUp \WINMEStart-menyProgrammerOppstart \WINMEStart-menynProgramAutostart \WINMEStartmenuProgrammeAutostart The worm opens an IRC backdoor on TCP port 6667 by connecting to the following hosts: quilmes.sytes.net quilmes1.sytes.net quilmes3.sytes.net Users with appropriate access can perform the following commands on the compromised computer: Change IRC nickname Create a SOCKS4 server Download, execute, and upload files Hide and unhide program windows Hide its own processes List all active windows List and kill processes List currently running processes and TCP connections Perform Denial of Service and UDP flood attacks Provide system information Register and unregister the worm as a service process Retrieve the victims IP address Start, stop, pause, and resume a port scan Steal passwords Remotely Update or stop the worm   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.