-
W32.Donk.S
W32.Donk.S – ñåòåâîé ÷åðâü, ðàñïðîñòðàíÿþùèéñÿ ÷åðåç îòêðûòûå ñåòåâûå îáùåäîñòóïíûå ðåñóðñû è ïîçâîëÿåò óäàëåííîìó àòàêóþùåìó ïîëó÷èòü íåàâòîðèçîâàííûé äîñòóï ê çàðàæåííîìó êîìïüþòåðó ÷åðåç áåêäîð. ×åðâü òàêæå ïûòàåòñÿ ïðîýêñïëóàòèðîâàòü íåñêîëüêî óÿçâèìîñòåé.
Ïðè çàïóñêå W32.Donk.S âûïîëíÿåò ñëåäóþùèå äåéñòâèÿ:
1. Ñîçäàåò ñîáñòâåííûå êîïèè â %System%\ntsysmgr.exe è %System%\cool.exe
2. Äîáàâëÿåò çíà÷åíèå "Microsoft System Checkup"="ntsysmgr.exe" â ñëåäóþùèå êëþ÷è ðååñòðà:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
1. 3. Äîáàâëÿåò çíà÷åíèå "NT Logging Service"= "syslog32.exe" â ñëåäóþùèé êëþ÷ ðååñòðà: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 3. Ïðîâåðÿò ñåòåâîå ïîäêëþ÷åíèå, ïîäêëþ÷àÿñü ê ñëåäóþùèì äîìåíàì:
• w3.org
• geocities.com
• freewebpage.org
• fortunecity.co.uk
• angelfire.com
• warez.com
• sms.ac
• isohunt.com
• wincustomize.com
• ftp.as.ro
• dot.tk
• irc.dal.net
• irc.undernet.org
• hotmail.com
• msn.com
• google.com
• yahoo.com
Åñëè ÷åðâü ïîäòâåðæäàåò ñåòåâîå ïîäêëþ÷åíèå, îí ïûòàåòñÿ ïðîýêñïëóàòèðîâàòü íåñêîëüêî óÿçâèìîñòåé (MS03-26, MS04-11, MS03-07) ïîñûëàÿ äàííûå ê ñëó÷àéíûì IP àäðåñàì.
Êîãäà ÷åðâü îáíàðóæèâàåò óÿçâèìûé êîìïüþòåð, îí îòêðûâàåò áåêäîð, ñîçäàâàÿ ñêðûòûé óäàëåííûé ïðîöåññ, êîòîðûé ñëóøàåò íà 4444 ïîðòó.  ðåçóëüòàòå àòàêóþùèé ìîæåò âûïîëíèòü óäàëåííûå êîìàíäû íà çàðàæåííîì êîìïüþòåðå. Îí ìîæåò òàêæå ïîñëàòü êîïèþ ÷åðâÿ ê óäàëåííîìó êîìïüþòåðó. Ò
×åðâü áëîêèðóåò äîñòóï ê íåêîòîðûì Web ñàéòàì, èçìåíÿÿ hosts ôàéë:
127.0.0.1 [url]www.trendmicro.com[/url]
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 [url]www.nai.com[/url]
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 [url]www.my-etrust.com[/url]
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 [url]www.ca.com[/url]
127.0.0.1 networkassociates.com
127.0.0.1 [url]www.networkassociates.com[/url]
127.0.0.1 avp.com
127.0.0.1 [url]www.kaspersky.com[/url]
127.0.0.1 [url]www.avp.com[/url]
127.0.0.1 kaspersky.com
127.0.0.1 [url]www.f-secure.com[/url]
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 [url]www.viruslist.com[/url]
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 [url]www.mcafee.com[/url]
127.0.0.1 sophos.com
127.0.0.1 [url]www.sophos.com[/url]
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 [url]www.symantec.com[/url]
2. ×åðâü êîïèðóåò ñåáÿ â àäìèíèñòðàòèâíûå øàðû, èñïîëüçóÿ ñëåäóþùóþ êîìáèíàöèþ èìåíè ïîëüçîâàòåëÿ è ïàðîëÿ. Èìÿ ïîëüçîâàòåëÿ:
• SST
• database
• sql
• Root
• admin
• Guest
• home
• Administrateur
• Verwalter
• User
• Default
• administrator
• Administrator
Ïàðîëè:
• 101
• pw
• mypass
• pw123
• admin123
• 557
• mypc
• love
• pass
• pwd
• Login
• login
• owner
• xxx
• home
• zxcv
• yxcv
• qwer
• secret
• asdf
• pc
• win
• temp123
• temp
• test123
• test
• abc
• aaa
• a
• sex
• god
• root
• administrator
• alpha
• 007
• 123abc
• 0
• 2003
• 2002
• xp
• enable
• 123asd
• super
• Internet
• computer
• server
• 123qwe
• sybase
• oracle
• abc123
• abcd
• database
• passwd
• pass
• 111
• 54321
• 654321
• 123456789
• 1234567
• 123
• 12
• 1
• Password
• Admin
• admin
• 1234
• 12345
• 12345678
• letmein
• qwerty
• 7777
• 1111
• asd#321
• 6969
• 123456
• password
 ñëó÷àå óñïåõà, ÷åðâü êîïèðóåò ñåáÿ â ñëåäóþùèå êàòàëîãè íà óäàëåííîé ñèñòåìå:
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
• C:\WINDOWS\Start Menu\Programs\Startup
• C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
• \WINNT\Profiles\All Users\Start Menu\Programs\Startup
• \WINDOWS\Start Menu\Programs\Startup
• \Documents and Settings\All Users\Start Menu\Programs\Startup
3. Çàãðóæàåò è âûïîëíÿåò ñëåäóþùèå ôàéëû èç ñåðèè ïðåäîïðåäåëåííûõ Web ñåðâåðîâ:
• %Temp%\upd32a.exe
• %Temp%\kspd32a.exe
• %System%\navinst.exe
4. Çàòåì ÷åðâü îòêðûâàåò áåêäîð è æäåò óäàëåííûõ êîìàíä èç IRC êàíàëà.
[url]http://www.securitylab.ru[/url]
-
Re:W32.Donk.S
Ïðîìàõíóëèñü , áàòåíüêà :) .÷åðâÿêà â âèðóñû çàïèñàëè .
-
Re:W32.Donk.S
[QUOTE=drongo]
Ïðîìàõíóëèñü , áàòåíüêà :) .÷åðâÿêà â âèðóñû çàïèñàëè .
[/QUOTE]
Ñòàðîñòü - íå ðàäîñòü. ïåðåí¸ñ :)
-
Re:W32.Donk.S
[QUOTE=drongo]
Ïðîìàõíóëèñü , áàòåíüêà :) .÷åðâÿêà â âèðóñû çàïèñàëè .
[/QUOTE]
À ÷åðâè è òðîÿíû - òîæå âèðóñû. [url]http://www.vlz.ru/books/avp/1classi/sub.htm[/url]
[url]http://adept7.narod.ru/library/4admin/security/avirus/classif/index-cl.htm[/url]
-
Re:W32.Donk.S
õûõû äåáèëüíûé íàáîð ïàðîëåé ;D
[quote][list][*]sex[*]god[/list][/quote]íó ýòî óæå îïûò Ãîëëèâóäà.
-
Re:W32.Donk.S
[QUOTE=azza]
À ÷åðâè è òðîÿíû - òîæå âèðóñû. [url]http://www.vlz.ru/books/avp/1classi/sub.htm[/url]
[url]http://adept7.narod.ru/library/4admin/security/avirus/classif/index-cl.htm[/url]
[/QUOTE]
ÿ â áîëåå êîìïåòåíòíîì [url=http://www.claws-and-paws.com/virus/faqs/vlfaq200.shtml]ôàêå[/url] ÷èòàë , ðàçíèöà åñòü . ïðîñòî âñ¸ ÷àùå ôóíêöèè âðåäíîíîñíîé ïðîãðàììû âêëþ÷àþò â ñåáÿ è ôóíêöèè òðîÿíñêîãî êîíÿ è ÷åðâÿ è äàæå êëàâèàòóðíûõ øïèîíîâ. ãðàíèöû ïðèòóïëÿþòüñÿ .
Page generated in 0.01327 seconds with 10 queries