Ads W32.Shelp Thursday, 19 May 2005 W32.Shelp is a worm that propagates by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). Note: Virus definitions dated prior to May 18, 2005 detect this risk as Bloodhound.Exploit.8. Also Known As: Bloodhound.Exploit.8, Exploit-MS04-011.gen [McAfee] Type: Worm Infection Length: worm 19,456 bytes, load.exe 5,120 bytes, explorer.exe 26,112 bytes Systems Affected: Windows 2000, Windows Server 2003, Windows XP When W32.Shelp is executed, it performs the following actions: Spreads by exploiting the following vulnerability: The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). Downloads and runs the following file: http:/ /207.36.180.163/b/bd/1/load.exe. Downloads the following file: http:/ /207.36.180.163/b/svchost.exe Saves the file svchost.exe as: %System%explorer.exe Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Adds the value: "explorer" = "%System%explorer.exe" to the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun so that the risk runs every time Windows starts. Creates the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionMshelp"[random data name]" where it may keep the worms version information. Note: The data of the above values may vary. "PID" and "UUID" have been reported as data. Executes the following downloaded file and then deletes the file load.exe: %System%explorer.exe Downloads and runs a copy of the worm to complete the replication to the compromised computer from the following IP: 207.36.180.163 ======================== To delete the value from the registry: Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun In the right pane, delete the value: "explorer" = "%System%explorer.exe" Navigate to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionMshelp"[random data name]" Exit the Registry Editor.   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.