|
Detalii: Acest virus se raspandeste prin e-mail, IRC, KaZaA, are componente de backdoor si keylogger. Componenta de backdoor foloseste mIRC si AIM (AOL Instant Messenger), permitand astfel autorului sa introduca comenzi pe calculatorul infectat.
In general virusul soseste prin e-mailuri care au atasamente cu urmatoarele extensii:
EXE, PIF, COM, SCR
E-mailul este construit (subiect, body) din diferite siruri de caractere si poate contine unul dintre urmatoarele siruri:
I thought this was interesting...
rather psychedelic...
found this on the net, you might like it...
discotheque
imbrue
Damn it feels good to be gangsta.
The way I feel - Remy Shand
Paradigm Shift
WASSUP!
Know Thyself
Hell
I love you
Please discard if you don't like or agree with our present leadership...
little popup remover
B cannot remember
Yo, WASSUP, B?
an interesting program...
You might not appreciate this...
I think you might find this amusing...
LOL
check this out... hehehe
question...
see you tomorrow.
how are you?
you need to lose weight.
why?
kind of simple, but fun nonetheless.
check it out.
I sent this program (Sparky) from anonymous places on the net.
The way to gain a good reputation is to endeavor to be what you desire to appear.
There is only one good, knowledge, and one evil, ignorance.
Watchin' the game, having a bud.
Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
Today is a good day to die...
so, how are you?
the attachment is only for you to look at
you must not show this to anyone...
delete this as soon as you look at it...
Let me know what you think of this...
If you don't like it, just delete it.
thought I'd let you know
you don't have to if you don't want to.
Dupa executare, virusul incearca sa incheie orice procese ale caror nume contin:
NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN
Creeaza un obiect mutex SparkyMutex pentru a permite instalarea unei singure variante proprii in memorie.
Culege adrese de e-mail din Windows Address Book, Cookies, directorul Internet Temporary Files, ca si din directorul My Documents, pe care le stocheaza in fisierul .cab data 1-2 din directorul Windows.
Foloseste programul MAPI configurat by default pentru a se trimite la adresele de e-mail culese.
Virusul utilizeaza un fisier specific de configurare, in care isi stocheaza toate informatiile.
Foloseste un motor, Sparky, care poate fi actualizat (initial printr-o adresa de Internet).
Componenta de keylogger (iservc.dll) salveaza datele introduse de la tastatura in fisierul iservc.klg sau intr-un fisier de backup, wavckb.dlb din directorul Windows.
Are si o componenta de backdoor, prin care incearca sa se conecteze aleatoriu la unul dintre urmatoarele servere de IRC, la un canal protejat prin parola (folosind un nickname aleatoriu ) in care autorul poate introduce comenzi pe calculatoarele infectate.
Dezinfectie:
- Dezinfectie manuala: creati un fisier gol UNINSTALL.PKY in directorul Windows, asteptati un minut si apoi stergeti fisierul progOp.exe din directorul Windows.
- Dezinfectie automata: folositi utilitarul gratuit de dezinfectie oferit de BitDefender: http://www.bitdefender.ro/html/utilitare_gratuite.php
Virus analizat de:
Patrik Vicol
BitDefender Virus Researcher
|
