Backdoor.Sticy.B( none )
SINTOMAS: IRC Connections to Undernet servers, network load, antiviral processes unable to execute, etcDESCRIPCIÓN TÉCNICA: This backdoor is clearly Romanian. It comes it e-mail messages (spammed out by the virus writer) that look like the following:From: The Company Of BitDefender Subject: The Company Of BitDefender Hello, We send you this mail to download our software BitDefender 8 Professional Plus . Please have more security on your computer WORLD! BitDefender Company is free www.******.ro/***.exe BitDefender 8 Professional Plus features: NEW! Antispam filters Enhanced Antivirus protection Enhanced Firewall protection Integration with WinXP Security Center Rescue CD - the ultimate crash recovery tool 24/24 hours free human technical support You can download or software here: Download Link: http://www.*****.ro/***.exe support@bitdefender.com This is the second version of the Romanian backdoor \"Sticy\". This time, it is not a silly IRC script, but a full-featured Spy Bot. While analyzing the executable, we have found references to many well-known components (many features were \"borrowed\" from the open-source bot \"TechBot\", a password-breaking algorithm was also \"borrowed\", etc). The worm creates a copy of itself in the file %system32%\\explorer.exe. Please note that a legitimate version of explorer.exe resides in the %windows% directory. Then, the worm registers itself to be loaded at every system startup (using a trivial method). The backdoor component of this worm is rather interesting; the worm connects to an Undernet server (chosen from a list) and joins the channel #four. The BitDefender research team joined this channel. The author of this worm was there, waiting for \"victims\". The worm accepts commands only from a predefined set of hosts / idents: Sticy.*, Ash.*, Ashnet.*, Gopo.* The command list is rather impressive; the backdoor component is able to run files, steal passwords, perform syn floods, terminate processes. It is even able to start a full-featured HTTP server (to access the victim\'s files). It is even able of stealing CD Keys for popular games such as \"Fifa 2003\", \"Half Life\", \"Battlefield 1942\", etc. To achieve network spreading, the worm has a long list of passwords, and it tries to brute-force share passwords it has enumerated across the network. The worm also has key logging capabilities. Command list: pass - display cached passwords threads - display a list of threads killthread - terminate a thread startlogger - start the keylogging mechanism stoplogger - stop the keylogging mechanism listprocces - lists the process list killprocces - terminates a process disconnect - disconnects the client from the irc server reconnect - reconnectes the client from the irc server server - changes the irc server reboot - reboots the infected computer !uninstall - uninstalls the worm httpserver* - starts a HTTP server download - downloads a file syn - starts a syn flood operation list - lists files delete - delete a file rename - rename a file execute -executes a file makedir - creates a directory sendkeys - sends CD Keys cd-rom - opens the CDRom tray ..etc List of the security products that this worm disables: zonealarm.exe zonalm2601.exe zonalarm.exe zauinst.exe zatutorzauinst.exe zatutor.exe zapsetup3001.exe zapro.exe xpf202en.exe wyvernworksfirewall.exe wsbgate.exe wrctrl.exe wradmin.exe wnt.exe winsfcm.exe winservices.exe winroute.exe winrecon.exe winppr32.exe winmgm32.exe wink.exe winhlpp32.exe wingate.exe wimmun32.exe whoswatchingme.exe wgfe95.exe wfindv32.exe webtrap.exe webscanx.exe webscan.exe watchdog.exe w9x.exe w32dsm89.exe vvstat.exe vswinperse.exe vswinntse.exe vswin9xe.exe vsstat.exe vsscan40.exe vsmon.exe vsmain.exe vsisetup.exe vshwin32.exe vsecomr.exe vsched.exe vscenu6.02d30.exe vscan40.exe vscan.exe vptray.exe vpfw30s.exe vpc42.exe vpc32.exe vnpc3000.exe vnlan300.exe virusmdpersonalfirewall.exe vir-help.exe vfsetup.exe vettray.exe vet98.exe vet95.exe vet32.exe vcsetup.exe vcontrol.exe vcleaner.exe vccmserv.exe vbwinntw.exe vbwin9x.exe vbust.exe vbcons.exe vbcmserv.exe update.exe undoboot.exe trojantrap3.exe trjsetup.exe trjscan.exe tracert.exe tracerpt.exe tmntsrv.exe titaninxp.exe titanin.exe tgbob.exe tftpd.exe tfak5.exe tfak.exe tds-3.exe tds2-nt.exe tds2-98.exe tds2.exe tcpsvs32.exe tcm.exe tca.exe tc.exe tbscan.exe tauscan.exe taumon.exe taskmon.exe syshelp.exe sysedit.exe sysdoc32.exe symtray.exe symproxysvc.exe swnetsup.exe sweepsrv.sys.exe sweepnet.exe sweep95.exe sweep.exe supporter5.exe supftrl.exe st2.exe ss3edit.exe srwatch.exe spyxx.exe spider.exe sphinx.exe spf.exe sofi.exe smss.exe smc.exe shn.exe shellspyinstall.exe sharedaccess.exe sh.exe sgssfw32.exe sfc.exe setupvameeval.exe setup_flowprotector_us.exe serv95.exe sd.exe scvhosl.exe scrscan.exe schedapp.exe scanpm.exe scan95.exe scan32.exe sbserv.exe safeweb.exe rulaunch.exe rtvscn95.exe rshell.exe rrguard.exe routemon.exe route.exe rescue32.exe rescue.exe regedit.exe realmon.exe rav8win32eng.exe rav7win.exe rav7.exe rav.exe rapapp.exe qserver.exe qconsole.exe pview95.exe pview.exe purge.exe pspf.exe protectx.exe proport.exe programauditor.exe procexplorerv1.0.exe processmonitor.exe ppvstop.exe pptbc.exe ppinupdt.exe portmonitor.exe portdetective.exe popscan.exe poproxy.exe pop3trap.exe platin.exe pingscan.exe ping.exe pfwadmin.exe pf2.exe perswf.exe persfw.exe periscope.exe penis32.exe pcscanpdsetup.exe pcscan.exe pcip10117_0.exe pcfwallicon.exe pcdsetup.exe pccwin98.exe pccwin97.exe pccpfw.exe pccntmon.exe pccmain.exe pcciomon.exe pccguide.exe pccclient.exe pcc2k_76_1436.exe pcc2002s902.exe pavw.exe pavsched.exe pavproxy.exe pavcl.exe pathping.exe panixk.exe padmin.exe outpostproinstall.exe outpostinstall.exe outpost.exe ostronet.exe ogrc.exe offguard.exe nwtool16.exe nwservice.exe nwinst4.exe nvsvc32.exe nvlaunch.exe nvc95.exe nvarch16.exe nvapsvc.exe nupgrade.exe nupdate.exe nui.exe ntxconfig.exe ntvdm.exe ntrtscan.exe nsplugin.exe nsched32.exe npssvc.exe npscheck.exe nprotect.exe npfmessenger.exe npf40_tw_98_nt_me_2k.exe notstart.exe norton_internet_secu_3.0_407.exe normist.exe nod32.exe nmain.exe nisum.exe nisserv.exe netutils.exe netstat.exe netspyhunter-1.2.exe netscanpro.exe netmon.exe netinfo.exe netarmor.exe neowatchlog.exe neomonitor.exe ndd32.exe ncinst4.exe nc2000.exe navwnt.exe navw32.exe navw.exe navstub.exe navsched.exe navrunr.exe navnt.exe navlu32.exe navex15.exe navengnavex15.exe naveng.exe navdx.exe navauto-protect.exe navapw32.exe navapsvc.exe navap.exe nav80try.exe nav32_loader.exe nai_vs_stat.exe n32scanw.exe n32scan.exe mxtask.exe mwatch.exe mu0311ad.exe mssmmc32.exe mspatch.exe msinfo32.exe msconfig.exe msblast.exe mrflux.exe mpftray.exe mpfservice.exe mpfagent.exe moolive.exe monwow.exe monsysnt.exe monsys32.exe monitor.exe minilog.exe mgui.exe mghtml.exe mgavrte.exe mgavrtcl.exe mfweng3.02d30.exe mfw2en.exe mcvsshld.exe mcvsrte.exe mcupdate.exe mctool.exe mcshield.exe mcmnhdlr.exe mcagent.exe luspt.exe luinit.exe lucomserver.exe luau.exe luall.exe lsetup.exe lookout.exe lockdown2000.exe lockdown.exe localnet.exe ldscan.exe ldpromenu.exe ldpro.exe ldnetmon.exe kpfw32.exe kpf.exe killprocesssetup161.exe kerio-wrp-421-en-win.exe kerio-wrl-421-en-win.exe kerio-pf-213-en-win.exe kavpers40eng.exe kavlite40eng.exe jedi.exe jed.exe jammer.exe isrv95.exe iris.exe iparmor.exe iomon98.exe ifw2000.exe iface.exe icsuppnt.exe icsupp95.exe icsupp.exe icssuppnt.exe icmoon.exe icmon.exe icloadnt.exe icload95.exe ibmavsp.exe ibmasn.exe iamstats.exe iamserv.exe iamapp.exe hwpe.exe htlog.exe hacktracersetup.exe guarddog.exe guard.exe gibe.exe generics.exe gbpoll.exe gbmenu.exe fwenc.exe f-stopw.exe fssm32.exe fsmb32.exe fsma32.exe fsm32.exe fsgk32.exe fsave32.exe fsav95.exe fsav530wtbyb.exe fsav530stbyb.exe fsav32.exe fsav.exe fsaa.exe frw.exe fp-win_trial.exe fp-win.exe f-prot95.exe fprot95.exe f-prot.exe fprot.exe fnrb32.exe flowprotector.exe fix-it.exe firewall.exe findviru.exe fih32.exe fch32.exe fast.exe fameh32.exe f-agnt95.exe expert.exe exantivirus-cnet.exe evpn.exe etrustcipe.exe espwatch.exe escanv95.exe escanhnt.exe escanh95.exe esafe.exe ent.exe efpeadm.exe efinet32.exe edi.exe ecengine.exe dvp95_0.exe dvp95.exe dv95_o.exe dv95.exe drweb32.exe drwatson.exe dpf.exe doors.exe dllhost.exe deputy.exe defwatch.exe defscangui.exe defalert.exe cwntdwmo.exe cwnb181.exe cv.exe ctrl.exe css1631.exe csinsm32.exe csinject.exe cpfnt206.exe cpf9x206.exe cpdclnt.exe cpd.exe connectionmonitor.exe cmon016.exe cmgrdian.exe cleanpc.exe cleaner3.exe cleaner.exe clean.exe claw95ct.exe claw95cf.exe claw95.exe cfinet32.exe cfinet.exe cfind.exe cfiaudit.exe cfiadmin.exe cfgwiz.exe cdp.exe ccshtdwn.exe ccsetmgr.exe ccpxysvc.exe ccevtmgr.exe ccapp.exe bs120.exe borg2.exe bootwarn.exe blackice.exe blackd.exe bisp.exe bipcpevalsetup.exe bipcp.exe bidserver.exe bidef.exe bd_professional.exe azonealarm.exe avxw.exe avxquar.exe avxmonitornt.exe avxmonitor9x.exe avwupd32.exe avwinnt.exe avwin95.exe avsynmgr.exe avsched32.exe avrescue.exe avpupd.exe avptc32.exe avpnt.exe avpmon.exe avpm.exe avpinst.exe avpexec.exe avpdos32.exe avpcc.exe avp32.exe avp.exe avnt.exe avkwctl9.exe avkwcl9.exe avkservice.exe avkserv.exe avkpop.exe avgw.exe avgserv9.exe avgserv.exe avgctrl.exe avgcc32.exe ave32.exe avconsol.exe autoupdate.exe autotrace.exe autodown.exe aupdate.exe atwatch.exe atupdater.exe atro55en.exe atguard.exe atcon.exe apvxdwin.exe aplica32.exe apimonitor.exe ants.exe antivirus.exe anti-trojan.exe amon9x.exe amon.exe alogserv.exe alertsvc.exe alerter.exe ahnsd.exe agentw.exe agentsvr.exe advxdwin.exe ackwin32.exe _findviru.exe _avpm.exe _avpcc.exe _avp32.exe _avp.exe SWEEP95.EXE SWEEP.EXE SODELUS.EXE ICWIN95.EXE ICSUPP95.EXE ICMON.EXE ICLOAD95.EXE DOS4GW.EXE ICRUN.COM LABEL.EXE FRZSTATE.EXE THTASK.EXE THAV.EXE TH32UPD.EXE TH32.EXE TH.EXE REGCLEAN.EXE UNDOBOOT.EXE QCONSOLE.EXE NAVW32.EXE NAVSTUB.EXE NAVDX.EXE CFGWIZ.EXE CCIMSCAN.EXE BOOTWARN.EXE ASHSIMPL.EXE ASHENHCD.EXE ASHDISP.EXE ASHCMD.EXE ASHBUG.EXE ASHAVAST.EXE RAV_ONE.EXE RAVAV.EXE RAV_D17.EXE CWSDPMI.EXE AVPINST.EXE AVPEXEC.EXE SYSCHECK.EXE SOLOLITE.EXE SOLOSENT.EXE SOLOSCAN.EXE SOLOCFG.EXE SOLCLEAN.BAT TRUPD.EXE TRJSCAN.EXE RMVTRJAN.EXE PAVW.EXE PAVSCHED.EXE PAVCLSHE.EXE PAVCL.EXE INICIO.EXE FWACT.EXE PAVPROXY.EXE AGENGINE.EXE WMIPRVSE.EXE AVLTMAIN.EXE WMIADAP.EXE IKERNEL.EXE TITANIN.EXE PANDA.EXE 2003122920547_MCINFO.EXE F-STOPW.EXE MCDASH.EXE MCVSRTE.EXE MCVSSHLD.EXE MCAGENT.EXE MCVSESCN.EXE NISUM.EXE CCPXYSVC.EXE NAVAPSVC.EXE FP-WIN.EXE. KIT_FREEEDITION.EXE FRZSTATE2K.EXE F-SECURE.EXE ZONEALARM.EXEVSMON.EXE F-PROT.EXE NAV9_15D.EXE CV.EXE FP-WIN.EXE NAV.EXE AVPM.EXE AVRESCUE.EXE AVPCC.EXE KAVI.EXE AVP32.EXE FLASHGET.EXE PAVJOBS.EXE IFACE.EXE UPGRADER.EXE APVXDWIN.EXE RAVMON.EXE QCLEAN.EXE RAVWIN7.EXE RAVTRAY7.EXE RAVWIN8.EXE RAVTRAY8.EXE CCREGVFY.EXE CCEVTMGR.EXE NAVASPSVC.EXE CCAPP.EXE NETSTAT.EXE TASKMON.EXE MSTASK.EXE DUMP3-2INI.EXE MSANTIV32.EXE TASKMGR.EXE NAVAPW.EXE MMC.EXE NAVAPW32.EXE TASKMAN.EXE REGEDIT.EXE MSCONFIG.EXE INSTRUCCIONES DE LIMPIEZA: Start the PC in safe mode; delete the %system32%\\explorer.exe file (it has the \'hidden\' attribute) and then delete the registry key pointing to the infected file in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.ANALIZADO POR: BitDefender Team |