آشنایی با ویروس
Kickinنام كرم :Kickin
نام مستعار :I-Worm.Cydog.c, W32/Cydog.D, W32/Kickin@MM, Cydog.D, W32/Kickin.A@mm این كرم كه به نامKickin معروف است درTH7May سال 2003 كشف شد.این كرم دارای حجم 109056 بایتی بوده و بوسیله سیستمUPX فشرده شده است .Kickin خیلی شبیه كرمCydog بوده و می توان گفت كه نسخه دوباره نویسی شده در زبانVisual C كرم Cydog است. این كرم می تواند از طریق ایمیل در سرور هایIRC و P2P و شبكهKazaa و Edenkey و Beashare و Morpheus توسعه یافته و منتشر شود.آلوده كردن سیستم :
وقتی كرم اجرا می شود ، خود را در دایركتوری ویندوز به نام Cyberwolf.exe با قابلیت مخفی فایل و شهرت فایل ذخیره می كند و یك نسخه از خود را نیز در شاخه سیستم ویندوز و با نام های زیر كپی می كند :mapi32.drvformat.comSARS-Guide.scrMsnMsgs.exeSetup.exeVirtual Joke.scrSaddam-the real pics.scrChristina Aguilera-The most beautiful girl on earth.scrSoccer Database.exeOutWar Demo.exeLove.scrLast Summer.scrHotmail Hacker.exeFixSql.comQ30215HOTFIX.pifApi Hooking-Tutorial.exeKernel32.exeMagical-Screensaver.scr
این كرم وِژگی مخفی به فایل ها می دهد و هر وقت كه فایلی با پسوندExe اجرا می شود فایل Kernel32.exe باز خوانی می شود . برای انجام این كار كدی همانند زیر به رجیستری می افزاید :
[HKCR/exefile/shell/open/command] @ = "%winsysdir%/Kernel32.exe"%1"%*""
در ضمن كرم دو كلیدstart up برای خود و به شرح زیر می سازد:
[HKLM/Software/Microsoft/Windows/CurrentVersion/Run] "CyberWolf" = "%windir%/CyberWolf.exe" "Windows Kernel" = "%winsysdir%/Kernel32.exe"
%Windir محل نصب ویندوز (شاخه ویندوز) و%Winsysdir محل شاخه سیستم است و این كد ها با هر بار اجرای ویندوز و به علت راه اندازی مجدد رجیستری باعث فعال شدن كرم می شوند
انتشار از طریق ایمیل :
این كرم آدرس های مورد نظر خود را از طریق كتاب آردس ایمیل های سیستم یا كتاب آردس یاهو مسنجر وMSN و مسنجر.NET ، آدرس بوكICQ یا آردس های وارد شده در صفحات HTML و EML یافته و خود را به آن آردس ها كپی می كند.این كرم دارای لیستی ازSMTP های مختلفی است كه سعی می كند تا دذر صورت غیر فعال بودن سیستم SMTP قربانی از آنها استفاده كند . كرم می تواند خود را با Subject ها و Body های مختلفارسال كند. اسم فایل ضمیمه ویروس نیز متغییر است . مثل :
From:
Lovergirl@yahoo.com
Subject:
Fwd:Fwd:Fwd:Watch out for SARS!
Body:
---ORIGINAL MESSAGE BODY--- FROM: Attachment: SARS-Guide.scr Please note that there is a real Mr. Dick Thompson working for WHO. Obviously he has nothing to do with this virus. From: Webmaster@planet-source-code.com Subject: Api Hooking Tutorial... Body: Did you wanted to learn how to api hook? Here your chance!This tutorial explains all the basics AND moderate Api Hookings Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide... The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances Provided to you by: Webmaster Attachment: Api Hooking-Tutorial.exe From: Support@microsoft.com Subject: Windows Hotfix! Body: Attached is the HotFix for several bugs in Windows Operating Systems. The following Windows versions are vulnerable: Windows Xp home and Pro edition (with/without SP1) Windows ME,2000 and NT Home and Pro Edition(With/without SP) Windows 98 Home,Pro and Special Edition(With/without SP) The following Windows Operating Systems are not vulnerable: Windows 95(All editions With or Without Sp Microsoft IIS(all versions) If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer. Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's. For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com Presented to you by:Microsoft HelpDesk Attachment: Q30215HOTFIX.pif From: SecurityResponse@symantec.com Subject: Warning from Symantec.com Body: 5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to spread by several ports on your pc(139,25,445,446,10252). It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection. After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS. Simply run the attached fix and wait for the dialog to prompt,select the Sincerely, Symantec Security Response Team Symantec Corporation Attachment: FixSql.com From: Admin@hackers.com Subject: u wanted to hack? Body: hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!! Simply open it and enter your victims email ID and select From: Lovergirl963@hotmail.com Subject: Do you remember last summer? Body: hi Do you remember we met last summer? We became very good friends at the end huh! Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them See you soon again xxx Love ya... Attachment: Last Summer.scr From: Lovergirl33@hotmail.com Subject: Fwd:Fwd:Fwd:Sit back and be surprised... Body: ORIGINAL MESSAGE BODY: FROM: Attachment: Magical-Screensaver.scr From: Admin@screensavers.com Subject: The Magical screensaver Body: Check out this magic screensaver.Its pure magic!!! Follow these steps for the magic: 1)Pick 3 numbers and write them down on a paper. 2)Add one of the following values to the 3 numbers:Love,Friendship and Sex.Write these values next to the number 3)Pick 1 additional number and say it out loud 5 times 4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper. 5)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep. 6)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16. Presented by Admin@screensavers.com Attachment: Magical-Screensaver.scr From: Webmaster@Loveforlife.com Subject: Feel the reason why we fall in love... Body: It takes One minute to find someone special One hour to like someone 1 Day to fall in love with someone But it takes a lifetime to forget someone. If you have ever been in love then you'll know about what i am talking. If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time... Attachment: Love.scr From: Webmaster@Outwar.com Subject: Outwar is proud to present you:Outwar InterActive Body: After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new. Thats why we decided to take our OutWar into the game market and developed OurWar InterActive This game will be in shops late summer and will cost about 36$. It will be avaible across the Usa,Europe,Australia and Asia. Our release for Africa is scheduled early 2004. Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo! The attached file contains Installation Packet for the downloader. Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!. Sincerely yours Webmaster@outwar.com Attachment: OutWar Demo.exe From: Soccerfan@yahoo.com Subject: Fwd:Fwd:Fwd:Soccer... Body: Ever wanted to see the best goals,the most beautiful freekicks etc.with just 2 clicks with your mouse? Ever wanted to acces the largest Soccer Database on the internet where all goals from more then 25 international competitions from the past 15 years are stored? Here is your chance,this program has instant acces it,so you can enjoy how Diego Maradonna scored Attachment: Soccer Database.exe From: Webmaster@beautifulgirls Subject: Christina Aguilera:The most beautiful girl on earth Body: Don't you think Christina Aguilera is the most beautiful girl on earth? She is soo nice!!! That clip Attachment: Christina Aguilera-The most beautiful girl on earth.scr From: webmaster@screensavers.com Subject: Saddam alive and kickin' Body: The whole world wants to know it,is saddam a live,or death? Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible! You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground! Check out the pics i attached,you won't believe what you see! Attachment: Saddam-the real pics.scr From: Admin@jokes.com Subject: The Virtual Joke... Body: Have you seen it yet? You should because its soooooo funny,i wish the real jokes where that funny :) Check out the attached screensaver and enjoy the pleasure of laughing... Attachment: Virtual Joke.scr From: flipbabe@hotmail.com Subject: Fwd:Fwd:Whats really happening in bagdad Body: ORIGINAL MESSAGE BODY: FROM: Attachment: Saddam-the real pics.scr From: mailinglist@Msn.com Subject: Get the new Msn 5.1! Body: Tired of the little nicknames in Msn,tired of all the limits? Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever! It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better! Msn Messenger 5.1 is avaible for following Operating Systems: Windows Xp Windows ME and 2000 Windows 98 and NT Is not avaible for:Windows 95 This version of msn messenger supports also Api's in Windows Xp so you can make your own addons. To download Msn Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP. If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions. Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not Sincerely yours: The Msn Messenger Team The Hotmail Team Attachment: MsnMsgs.exe From: nice_girl21@hotmail.com Subject: Fwd:How to protect yourself against SARS Body: ORIGINAL MESSAGE BODY: FROM: Attachment: SARS-Guide.scr Virus Creation ToolKit-VX v7.1_create virii with thistool,Klez.H and Sircam has been created with version 6.exeWebAttack-DoS Tool.exeFTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exeYahoo Remote Password Cracker Deluxe 2003.exeAIM Remote Password Cracker.exeHotmail Exploiter 2003.exeXNuker 2003.exeUltimate HackProg.exeMsn Messenger Remote Password Cracker 2003.exeNetbios hacker.exeChaos Ip Spoof 2003.exe twistmaster13@hotmail.com Subject: Hi,i'm 100% sure i'm infected! Body: mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm. For every infection this worm does,you'll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it. Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number... این كرم به ساعت ویندوز وابسته بوده و می تواند فایلی با نام Cyberwolf.txt یا Windows.l0g را در شاخه ویندوز درست كند كه متن پیغام نویسنده آن است . سپس كرم می تواند Internet Brower را در زمان های خاصی باز كرده و به سایتهای زیر برود : www.brain-hack.comwww.indiansnakes.cjb.netwww.christinaaguilerawww.catholicninjas.org/superfuntime/در ضمن كرم می تواند فایلهای وابسته آنتی ویروس را كه لیست آنها در زیر آمده را پاك كند و از بین ببرد :NETSERVICES COMMAND SYSHELP RAVMOND WINRPC WINHELP WINGATE NPROTECT CLEANER WINDRIVER TASKMGR MSCONFIG REGEDIT ANTI-TROJAN BLACKICE ZONEALARM LOCKDOWNADVANCED NVC95 FP-WIN IOMON98 PCCWIN98 F-PROT F-STOPW IAMSERV.EXE NAVWNT NAVRUNR NAVLU32 NAVAPSVC VSMON.EXE SYMPROXYSVC RESCUE32 NISSERV VSECOMR VETTRAY TDS2-NT CCAPP.EXE SCAN32 PCFWALLICON NSCHED32 SPHINX.EXE FRW.EXE MCAFEE ATRACK PVIEW.EXE LUCOMSERVER LUALL.EXE NMAIN.EXE NAVW32 NAVAPW32 VSSTAT VSHWIN32 AVSYNMGR AVCONSOL WEBTRAP POP3TRAP PCCMAIN PCCIOMON ESAFE.EXE AVPM.EXE AVPCC.EXE AMON.EXE ALERTSVC ZAPRO.EXE AVP32 LOCKDOWN2000 AVP.EXE CFINET32 CFINET ICMON SAFEWEB WEBSCANX IAMAPPآلوده سازی درP2P شبكه Peer-To-Peer :
این كرم توانایی پخش و آلوده سازی بر روی شبكه هایP2P را دارد و سعی می كند پوشه های به اشتراك گذاشته شده توسطKazza و Edonkey و Bearchare و Marpheus را پیدا كند و خود را با نام های زیر در آنجا كپی كند .زماناجرا
این كرم پیغام اخطاری را به شركت های آنتی ویروس می فرستد :From: