PDA

View Full Version : P2P w32 worm bloodhound,do read.


caleb_yee
28-08-03, 17:28
W32.HLLW.Astef is a worm that attempts to spread through file-sharing networks, such as KaZaA, KaZaA Lite, Grokster, Bearshare, eDonkey2000, Morpheus, Limewire, Overnet, Papigator, XoloX, Tesla, WinMX, Shareaza, Gnucleus, and ICQ as well.

Namely i call as bloodhound.w32.5

This is wat it does...
When W32.HLLW.Astef runs, it does the following:

Renames the following files, if they exist:
%Windir%\Calc.exe to %System%\Calc.com
%Windir%\Notepad.exe to %System%\Notepad.exe
%Windir%\sol.exe to %System%sol.com
%Windir%\freecell.exe to %System%freecell.com
C:\progra~1\trillian\trillian.exe to C:\progra~1\trillian\trillian.com
C:\progra~1\msnmes~1\msnmsgr.exe to C:\progra~1\msnmes~1\msnmsgr.com
C:\progra~1\icq\icq.exe to C:\progra~1\icq\icq.com

NOTES:
%Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Copies itself as the following:
%Windir%\Calc.exe
%Windir%\Notepad.exe
%Windir%\freecell.exe
%Windir%\ocx32.exe
%Windir%\sol.exe
%Windir%\svchost.exe
%Windir%\windll32.exe
%Windir%\windows_critical_update.exe
%Windir%\windowsupdate.exe
C:\progra~1\trillian\trillian.exe
C:\progra~1\msnmes~1\msnmsgr.exe
C:\progra~1\icq\icq.exe

Creates the text file, %System%\Driversys.dat.

Adds the values:

"WindowsCriticalUpdate"="%Windir%\windows_critical_update.exe"
"WIndowsUpdate"="svchost.exe"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Adds the values:

"windll"="%Windir%\windll32.exe"
"ocx32"="%Windir%\ocx32.exe"
"microsoft"="%Windir%\svchost.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Modifies the value data of the value, "DisableSharing," to 0 in the registry key:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent

Modifies the value data of the value, "DisableSharing," to 0 in the registry key:

HKEY_CURRENT_USER\Software\Grokster\LocalContent

In the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Explorer\Advanced

Modifies the values to the following:

"Hidden"=0
"ShowSuperHidden"=0

Attempts to copy itself to the following folders:

C:\Program Files\kazaa\my shared folder
C:\Program Files\kazaa lite\my shared folder
C:\Program Files\Kazaa Lite K++\my shared folder
C:\Program Files\kmd\my shared folder
C:\Program Files\grokster\my grokster
C:\Program Files\bearshare\shared
C:\Program Files\edonkey2000\incoming
C:\Program Files\morpheus\my shared folder
C:\Program Files\limewire\shared
C:\Program Files\winmx\shared
C:\Program Files\Rapigator\Share
C:\Program Files\XoloX\Downloads
C:\Program Files\Tesla\Files
C:\Program Files\WinMX\My Shared Folder
C:\Program Files\Shareaza\Downloads
C:\Program Files\Gnucleus\Downloads
C:\program files\ICQ\Shared Folder
C:\program files\overnet\incoming
C:\my shared folder
C:\My Downloads

Here are some examples of the filenames that the worm copies itself as:

HotMail Hack.exe
AIM & AOL Password Hacker.exe
Mircosoft CD Key Generator.exe
PornStar3D.exe
Spy Toolz.exe
XBOX-BootDVD+Instructions.exe
Sony PlayStation Hack Boot Disk (No MOD Chip Needed)-Working.exe
simsonline(money-cheat)-WORKS.exe
Super Sex Games.exe

U gotta do this....for sure..
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as W32.HLLW.Astef. Delete the file, %System%\driversys.dat.
Delete the values that were added to the registry.
Rename the following files, if they exist:
%System%\Calc.com to %Windir%\Calc.exe
%System%\Notepad.exe to %Windir%\Notepad.exe
%System%sol.com to %Windir%\sol.exe
%System%freecell.com to %Windir%\freecell.exe
C:\progra~1\trillian\trillian.com to C:\progra~1\trillian\trillian.exe
C:\progra~1\msnmes~1\msnmsgr.com to C:\progra~1\msnmes~1\msnmsgr.exe
C:\progra~1\icq\icq.com to C:\progra~1\icq\icq.exe

Take some time to read....please.