P2P-Worm.Win32.Darby.m

tag:Peer-to-Peer Worms Worms

0 0

This worm spreads via the Internet via file-sharing networks. It also spreads via IRC channels, open network resources, and as an attachment to infected messages. It sends itself to addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 141KB in size, packed using UPX. The unpacked file is approximately 426KB in size.

Installation

Once launched, the worm causes the following error message to be displayed:

The name of the worm file will be used in order to give the user the impression that the file cannot be executed.

When installing, the worm copies itself to the Windows system directory under the following names:

%System%\Image0X.scr
%System%\KillUsa.exe

It also creates several copies of itself in the Windows system directory, using random names e.g.

%System%\ISZQ.scr

The worm creates a PKZIP utility in the system directory under the name bZip.exe. This is approximately 42KB in size. (îêîëî 42 ÊÁ). This is used to create archive copies of the worm in the same directory, under the name GZIP.ZIP. This file is approximately 127KB in size.

The worm also creates the following HTML files:

%Windir%\microsoftweb.htm
C:\Bardiel.hta

The worm then registers its files in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "NETCOMMAND503"="<path to copy of worm>"

[HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Run]
 "NETCOMMAND503"="<path to copy of worm>"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
 "run"="<path to copy of worm>"

This ensures that the worm file will be launched each time Windows is rebooted on the victim machine.

The worm modifies the registry keys listed below. This means that when files with .bat, .com, .exe, .pif or .scr extensions are launched, a copy of the worm will be launched instead of these files.

[HKCR\batfile\shell\open\command]
[HKLM\Software\Classes\batfile\shell\open\command]
 "default"="<path to copy of worm> %1"

[HKCR\comfile\shell\open\command]
[HKLM\Software\Classes\comfile\shell\open\command]
 "default"="<path to copy of worm> %1"

[HKCR\exefile\shell\open\command]
[HKLM\Software\Classes\exefile\shell\open\command]
 "default"="<path to copy of worm> %1"

[HKCR\piffile\shell\open\command]
[HKLM\Software\Classes\piffile\shell\open\command]
 "default"="<path to copy of worm> %1"

[HKCR\scrfile\shell\open\command]
[HKLM\Software\Classes\scrfile\shell\open\command]
 "default"="<path to copy of worm> %1"

The worm also modifies the following system registry values to block Task Manager and Registry Tools:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System]
 "DisableRegistryTools"="dword:00000001"
 "DisableTaskMgr"="dword:00000001"

Propagation via P2P

The worm checks the victim machine for an installed P2P client (edonkey2000, emule, kazaa, morpheus and others). It then copies itself into the client's shared directories and open network resource directories under the following names:

ACDSee 5.5.exe
Age of Empires 2 crack.exe
Ana Kournikova Sex Video.exe
Animated Screen 7.0b.exe
aol cracker.exe
AOL Instant Messenger.exe
aol password cracker.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
AVP Antivirus Pro Key Crack.exe
BabeFest 2004 ScreenSaver 1.5.exe
Babylon 3.50b reg_crack.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
Britney Spears Sex Video.exe
Buffy Vampire Slayer Movie.exe
Business Card Designer Plus 7.9.exe
cable modem ultility pack.exe
cable modem ultility pack.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Coffee Cup Free zip 7.0b.exe
Cool Edit Pro v2.55.exe
counter-strike.exe
Crack Passwords Mail.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
Cristina Aguilera Sex Video.exe
delphi.exe
Diablo 2 Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
divx pro.exe
DivX Video Bundle 6.5.exe
divx_pro.exe
Download Accelerator Plus 6.1.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
Edonkey2000-Speed me up scotty.exe
FIFA2004 crack.exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
Game Cube Real Emulator.exe
GetRight 5.0a.exe
Global DiVX Player 3.0.exe
Gothic2 licence.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
Guitar Chords Library 5.5.exe
Hentai Anime Girls Movie.exe
Hitman_2_no_cd_crack.exe
Hot Babes XXX Screen Saver.exe
HotGirls.exe
Hotmail Hacker 2004 - Xss Exploit.exe
Hotmail Hacker 2004-Xss Exploit.exe
hotmail_hack.exe
ICQ Pro 2004a.exe
ICQ Pro 2004b (new beta).exe
iMesh 3.6.exe
iMesh 3.7b (beta).exe
IrfanView 4.5.exe
Jenifer Lopez Sex Video.exe
KaZaA Hack 2.5.0.exe
Kazaa SDK   Xbit speedUp for 2.xx.exe
KaZaA Speedup 3.6.exe
Links 2004 Golf game (crack).exe
Living Waterfalls 1.3.exe
macromedia dreamweaver key generator.exe
Mafia_crack.exe
Matrix Movie.exe
Matrix Screensaver 1.5.exe
Mcafee Antivirus Scan Crack.exe
MediaPlayer Update.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
mIRC 6.40.exe
mp3Trim PRO 2.5.exe
MSN Messenger 5.2.exe
NBA2004_crack.exe
Need 4 Speed crack.exe
Nero Burning ROM crack.exe
Netbios Nuker 2004.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
NHL 2004 crack.exe
Nimo CodecPack (new) 8.0.exe
Norton Anvirus Key Crack.exe
PalTalk 5.01b.exe
pamela_anderson.exe
Panda Antivirus Titanium Crack.exe
PerAntivirus 8.9.exe
play station emulator.exe
Popup Defender 6.5.exe
Pop-Up Stopper 3.5.exe
PS2 PlayStation Simulator.exe
Quick Time Key Crack.exe
QuickTime_Pro_Crack.exe
Sakura Card Captor Movie.exe
Screen saver christina aguilera naked.exe
Security-2004-Update.exe
Serials 2004 v.8.0 Full.exe
serials2000.exe
Sex Live Simulator.exe
Sex Passwords.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
Space Invaders 1978.exe
Spiderman Movie.exe
Splinter_Cell_Crack.exe
Starcraft serial.exe
Start Wars Trilogy Movies.exe
Steinberg_WaveLab_5_crack.exe
Stripping MP3 dancer crack.exe
subseven.exe
Thalia Sex Video.exe
The Hacker Antivirus 5.7.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
UT2004_bloodpatch.exe
UT2004_keygen.exe
UT2004_no cd (crack).exe
UT2004_patch.exe
VB6.exe
virtua girl - adriana.exe
virtua girl - bailey short skirt.exe
Virtua Girl (Full).exe
VirtualSex.exe
Visual Basic 6.0 Msdn Plugin.exe
Visual basic 6.exe
warcraft 3 crack.exe
warcraft 3 serials.exe
WarCraft_3_crack.exe
Winamp 3.8.exe
winamp plugin pack.exe
WindowBlinds 4.0.exe
Windows XP complete   serial.exe
Windows Xp Exploit.exe
WinOnCD 4 PE_crack.exe
WinRar 3.xx Password Cracker.exe
WinZip 9.0b.exe
winzip full version key generator.exe
Winzip KeyGenerator Crack.exe
WinZipped Visual C   Tutorial.exe
XNuker 2004 2.93b.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe

This means that other users of the P2P client will be able to access the infected files.

Propagation via email

The worm harvests email addresses from the victim machine. Harvested addresses are saved in the following files:

%Temp%\bh.dat
%Temp%\bl.dat
%Temp%\bm.dat

The worm uses its own SMTP library to send infected messages.

Infected messages Message subject (chosen from the list below):

100% Ideal
Amor y Sexo
do you Know if they lie you?
Fotos en tu email
HackHotmail
Looks at the picture
Mail Delivery Return System
Manual de Seduccion
Message
Mi Album
Mira la foto
MORE Drawings
New Registry
No Adware
NoMentir
Nuevo Registro
Pictures in your email
Planet PlayBoy
Planeta PlayBoy
PornStars Show
ReturnMsg
Sex Tantrico Images
Sexo Tantrico Images
Ten commandments give the Love and Sex
Test Here
Virtual Card
you Have a Mensage
you have a Virtual Gift
Your Name

Message body (chosen from the list below):

Debido a las reformas del servidor, se pide a los usuarios completar el nuevo registro a fin de validar sus cuentas y no sean suspendidas. Atentamente AdminSystem
due to the reformations he/she gives the servant, it is asked the users to complete the new registration in order to validate their you count and don't be suspended. Sincerely AdminSystem"
Este es un test usado por el ejercito de estados unidos al reclutar soldados, para en palabras simples medir cuan propensos a la locura son, hacelo y ve cuan zafado estas.
he/she looks at the image 30 second and then he/she looks to another part and truth at something surprising (good optic illusion, almost hallucination)
Hello, you don't know me, but I ship you something that interested you, God willing it is you gives utility, bye
I ship You the info that you requested me, responds that such this, bye
Looks at this scrensaver gives the actresses he/she gives the cinema porn
mira la imagen 30 segundos y luego mira a otra parte y veras algo sorprendente ......(buena ilusion optica, casialucinacion)
Osama Ben Laden the man that I declare the War to United States
Se te cambia la pagina de inicio?, te salen ventanas de publicidad, problemas con dialers, troyanos u otros adwares, prueba este programa gratis y acabemos con la lacra que es el Adware.
The best pictures give PlayBoy gives this year, it passes them ;)
The corporal language accuses the lie subtly, 5 tips to know if they are telling you e truth.
The names and the last names like all word have a meaning, the one which already in most he/she gives times or we don't remember, perhaps find the meaning he/she gives yours in our database:)
there is an available card for you on behalf of a friend. discharge it or enters to the link:)
they have sent You a virtual Gift, this available one during 7 days, discharge it or enters to the link:)
to Maintain a healthy loving relationship and upper demands a lot of effort and many desires, we give you these 10 keys
you Know that it means the form gives to kiss or that types and techniques exist, know them
you Want to improve your success with the opposite sex, search keeps an eye on this text. that has useful advice.

Attachment name (chosen from the list below):

10Claves.zip
16Playboy.zip
CrazyTest.zip
CwshredderPlus.zip
Drawings.zip
E-Card.zip
EL-Card.zip
FuckSanta.zip
Gusanito.com
HackHotmail.zip
Ideal.zip
Kiss.zip
Lie.zip
NoMentir.zip
Ph0t0.zip
Photo.zip
PornStars.zip
Registro.zip
Registry.zip
ReturnMsg.zip
Seduc.zip
Sex_Tantra.zip
SigName.zip
TestRayado.zip
TuFuturo.zip
videoClip.zip
Virtual0034.zip
xImages.zip

Propagation via IRC channels

The worm will rewrite the files listed below in order to send copies of itself to users in the same IRC channel as the victim machine:

%ProgramFiles%\mIRC\script.ini
%ProgramFiles%\mIRC32\script.ini

Payload

The worm terminates active processes where the names of the processes contain the following text strings:

ate32class
adaware
advxdwin
auto-protect
alogserv
anti-trojan
avsched32
avconsol
ackwin32
autodown
antivir
avsynmgr
avrep32
atupdater
atwatch
autotrace
aplica32
atro55en
aupdate
autoupdate
avrescue
avltmain
backweb
blackice
bd_professional
bidserver
bootwarn
buscareg
claw95ct
cfiaudit
cfiadmin
cmgrdian
cleanpc
cmon016
cpf9x206
cpfnt206
csinject
csinsm32
css1631
cwnb181
cwntdwmo
ccevtmgr
ccpxysvc
defwatch
defalert
drwatson
drweb32
drwebupw
efinet32
espwatch
efpeadm
etrustcipe
ecengine
findviru
f-agnt95
f-stopw
filemon
fameh32
flowprotector
fp-win_trial
generics
hacktracer
icssuppnt
icsupp95
iomon98
ifw2000
iparmor
kavlite
lookout
lockdown
lucomserver
ldpromenu
ldnetmon
localnet
mpftray
moolive
msconfig
monitor
mcmnhdlr
mcupdate
mcvsrte
minilog
mcvsshld
mpfservice
mcshield
mfweng3
msinfo32
mssmmc32
mu0311ad
nspclean
nupgrade
nwtool16
normist
nisserv
nsched32
neowatchlog
nvsvc32
nwservice
ntxconfig
npscheck
netutils
notstart
ncinst4
netarmor
netinfo
netspyhunter
netstat
nvarch16
nvlaunch
nwinst4
nvapsvc
outpost
offguard
ostronet
procexp
pcfwallicon
programauditor
pop3trap
poproxy
pcntmon
pview95
pqremove
pfwagent
prebind
pcdsetup
pcip10117_0
pfwadmin
portdetective
ppinupdt
ppvstop
procexplorerv1
proport
protect
pccntmon
qconsole
qserver
rtvscn95
rulaunch
regedit
regedt32
realmon
stinger
safeweb
symproxysvc
symtray
ss3edit
swnetsup
schedapp
setupvameeval
setup_flowprotector_us
sgssfw32
shellspyinstall
srwatch
supftrl
supporter5
sysdoc32
sysedit
sharedaccess
taskmon
tauscan
titanin
tmntsrv
undoboot
vshwin32
vsecomr
vbcmserv
vir -help
vettray
vcontrol
vccmserv
vcsetup
vfsetup
vnlan300
vnpc3000
vpfw30s
vscenu6
vsisetup
wfindv32
wimmun32
webtrap
watchdog
wradmin
w32dsm89
whoswatchingme
winrecon
winroute
winsfcm
wsbgate
zonealarm
zatutor
zonestub
zlclient
zauinst
zonalm2601
taskmgr

The worm may also download files from the servers listed below without the user's knowledge or consent.

http://hosting.m***at.com/interserv7
http://interserv1.thefr***izhost.com
http://interserv10.i***tworx.de
http://interserv6.m***tespace.com
http://interserv9.t**.com

previous:P2P-Worm.Win32.Benjamin.a
previous:P2P-Worm.Win32.Duload.b

Virus Source from:

New articles

WORM_TDSS.TXThis worm may arrive via drive-by downloads. When executed, it takes advantage of the following vulnerability as a zero-day exploit: (MS10-092) Vulnera...Clippo.AClippo.A puts a password to all the Office documents it finds in the computer and even in the removable drives, so that users cannot open them. Thi...Visal.AVisal.A carries out the following actions: It reduces the protection level of the affected computer, as it prevents many programs related to computer s...MoonLight.VMoonLight.V is a worm whose main objective is to spread and affect as many computers as possible. The means it uses to spread are the peer-to-peer (P2P) file sh...P2P-Worm.Win32.Harex.b Harex.b (aka Genky) is about 4KB when compressed by FSG. The virus file is 33KB when uncompressed. InstallingWhen installing, the worm creates a sub directory ...

Hot Articles

P2P-Worm.Win32.Darby.m

Computer Virus Clounds