Selected viruses, spyware, and other threats: sorted alphabetically
MSIL/Zamog.A
|
Short description
MSIL/Zamog.A is a worm that spreads via shared folders and removable media.Installation
When executed the worm copies itself in the following locations:- %temp%svchost.exe
- %systemdrive%ntldr.exe
- %system%driverstmpp.exe
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Winlogon]
"Userinit" = "%system%Userinit.exe,%temp%svchost.exe"
- [HKEY_CURRENT_USERIdentitiesSoftwareMicrosoftOutlook Express
5.0signatures]
"Default Signature" = "C:WINDOWSsystem32.htm/f" - [HKEY_CURRENT_USERSoftwarePatchouMessenger Plus! Live
GlobalSettingsScriptsMSN PLUS]
"background" = "C:WINDOWSsystem32.htm" - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"Hidden" = 1
- [HKEY_CURRENT_USERIdentitiesSoftwareMicrosoftOutlook Express
5.0signatures]
"Default Signature" = "C:WINDOWSsystem32.htm/f" - [HKEY_CURRENT_USERSoftwarePatchouMessenger Plus! Live
GlobalSettingsScriptsMSN PLUS]
"background" = "C:WINDOWSsystem32.htm" - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"Hidden" = 1 - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"HideFileExt" = 1 - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"SuperHidden" = 0 - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"ShowSuperHidden" = 1 - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesExplorer]
"NoFind" = 1 - [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesExplorer]
"NoFolderOptions" = 1 - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
policiessystem]
"EnableLUA" = "0" - [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
SystemRestore]
"DisableConfig" = 1 - [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
SystemRestore]
"DisableSR" = 1 - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"ImagePath" = "%malwarefilepath%" - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"DisplayName" = "Default Windows Firewall" - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"ObjectName" = "LocalSystem" - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"Start" = 2 - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"ErrorControl" = 0 - [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
Firewall]
"Type" = 110
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following filename:- ntldr.exe
- %drive%autorun.inf
The %drive%ntldr.exe, %drive%autorun.inf file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
Spreading via P2P networks
The worm creates copies of itself in folders accesed by the following application:- BearShare
- eDonkey2000
- eMule
- Gnucleus
- Grokster
- ICQ
- BearShare
- eDonkey2000
- eMule
- Gnucleus
- Grokster
- ICQ
- KaZaa Lite
- KaZaa
- Morpheus
- Direct Connect
- Kazaa Media Desktop
- LimeWire
- %username%_naked.exe
- %variable%.exe
- %variable%.rar
- %variable%ea-keygen.exe
- %variable%ea-keygen.rar
- 1000_worm_sources.exe
- %username%_naked.exe
- %variable%.exe
- %variable%.rar
- %variable%ea-keygen.exe
- %variable%ea-keygen.rar
- 1000_worm_sources.exe
- allexploits.exe
- battlefield2-3.exe
- battlefield2-3.rar
- become_hacker.exe
- best_porn.rar
- best_porn.scr
- bitdefender+crack.exe
- britney_spears_naked.rar
- britney_spears_naked.scr
- C&C_%variable%.exe
- C&C_%variable%.rar
- callofduty.exe
- callofduty3.exe
- callofduty4.exe
- callofduty5.exe
- callofduty6.exe
- cod6.exe
- Conficker_removal.exe
- Conficker_source.exe
- ea_games-cdkey.exe
- Emule_speedup.exe
- every_youpornvid.pif
- exploit_pack.exe
- Flyff_PS.exe
- game_collection.exe
- Hacking.exe
- how_to_be_an_hacker.pif
- How_to_hack.exe
- Cheatgenerator.exe
- Icq_hack.exe
- ICQ_hacker.exe
- icq_unlimited.%variable%.exe
- icq_unlimited.%variable%.rar
- irc_bot_source.exe
- Jessica_alba_screensaver.scr
- Limewire_pro.exe
- msn_plus.exe
- nzm_bot.exe
- PhotoshopCS3.exe
- Porn_Jessica_Alba.exe
- Rapidshare_account.exe
- virtual_girls_all.rar
- virtual_girls_all.scr
- virusgen.exe
- virusgen.rar
- windows_vista.exe
- windows_vista.rar
- wormgenerator.exe
- wormgenerator.rar
Spreading via shared folders
The worm searches for computers in the local network. It tries to copy itself in the following folders on a remote machine:- C$
- IPC$
- Admin$
- D$
- Print$
The following filename is used:
- funny.scr
- LOOL.pif
- STUPID.scr
- INSTALL.scr
- README.scr
- %variable%.scr
- administrator
- admin
- %username%
- %username%
- admin
- administrator
- ass
- bla
- bla123
- %username%
- admin
- administrator
- ass
- bla
- bla123
- bruns
- dont
- fuck
- homepc
- jew
- john
- kevin
- lol
- lol123
- love
- me
- myhomecomputer
- myhomepc
- omfg
- omg
- piss
- root
- shit
- tom
- user
- xD
Other information
The worm creates the following files:- %system%launch.bat
- %system%launch.vbs
- %system%launchh.bat
- %system%launchh.vbs
- %system%net.vbs
- %windir%tmpp.log
- %system%launch.bat
- %system%launch.vbs
- %system%launchh.bat
- %system%launchh.vbs
- %system%net.vbs
- %windir%tmpp.log
- %windir%system32.htm
- %windir%tam.dll
- %windir%input%variable%.blp
- %windir%teest.txt
- %windir%input123.blp
- %windir%%variable%.blp
- %system%wan.vbs
- %windir%system3213l.dll
- %windir%system32sys.rar
- %windir%system32tomp.txt
- %windir%krnsys.dll
- %windir%temp.dtx
- C:WindowsSystem32logg.txt
The worm tries to download several files from the Internet.
The worm connects to the following addresses:
- netmegasite.net
- mh-2.gnet.ba
- %system%/extract.exe
- %system%/svchost001.exe
- %system%/logstm.txt
- %system%/logstm123.txt
- %windir%system32driversetchosts
- 127.0.0.1 avp.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 avp.com
- 127.0.0.1 customer.symantec.com
- 127.0.0.1 dispatch.mcafee.com
- 127.0.0.1 download.mcafee.com
- 127.0.0.1 f-secure.com
- 127.0.0.1 kaspersky.com
- 127.0.0.1 liveupdate.symantec.com
- 127.0.0.1 liveupdate.symantecliveupdate.com
- 127.0.0.1 mast.mcafee.com
- 127.0.0.1 mcafee.com
- 127.0.0.1 metalhead2005.info
- 127.0.0.1 my-etrust.com
- 127.0.0.1 nai.com
- 127.0.0.1 networkassociates.com
- 127.0.0.1 rads.mcafee.com
- 127.0.0.1 secure.nai.com
- 127.0.0.1 securityresponse.symantec.com
- 127.0.0.1 sophos.com
- 127.0.0.1 symantec.com
- 127.0.0.1 trendmicro.com
- 127.0.0.1 update.symantec.com
- 127.0.0.1 updates.symantec.com
- 127.0.0.1 us.mcafee.com
- 127.0.0.1 viruslist.com
- 127.0.0.1 www.avast.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.avp.com
- 127.0.0.1 www.bitdefender.com
- 127.0.0.1 www.ca.com ca.com
- 127.0.0.1 www.eset.com
- 127.0.0.1 www.f-prot.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.f-secure.com
- 127.0.0.1 www.grisoft.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.mcafee.com
- 127.0.0.1 www.microsoft.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.my-etrust.com
- 127.0.0.1 www.nai.com
- 127.0.0.1 www.networkassociates.com
- 127.0.0.1 www.norman.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.sophos.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.symantec.com
- 127.0.0.1 www.trendmicro.com
- 127.0.0.1 www.viruslist.com
- http://www.whatismyip.com/automation/n09230945.asp
- netsh interface ip set dns * static
216.146.35.35,216.146.36.36 - netsh firewall set opmode mode=disable
- C:Documents and SettingsuserApplication Data*
- C:My Downloads
- %programfiles%XPCode
- C:Inetpubftproot
- C:appservwww%variable%
- C:%programfiles%appservwww
- C:Documents and SettingsuserApplication Data*
- C:My Downloads
- %programfiles%XPCode
- C:Inetpubftproot
- C:appservwww%variable%
- C:%programfiles%appservwww
- C:Documents and SettingsuserApplication
DataMicrosoftMessenger - %systemdrive%*shar*
- %systemdrive%*www*
- %username%_naked.exe
- 1000_worm_sources.exe
- allexploits.exe
- become_hacker.exe
- bitdefender+crack.exe
- callofduty.exe
- %username%_naked.exe
- 1000_worm_sources.exe
- allexploits.exe
- become_hacker.exe
- bitdefender+crack.exe
- callofduty.exe
- callofduty3.exe
- callofduty4.exe
- callofduty5.exe
- callofduty6.exe
- cod6.exe
- Conficker_removal.exe
- Conficker_source.exe
- ea_games-cdkey.exe
- Emule_speedup.exe
- every_youpornvid.pif
- exploit_pack.exe
- Flyff_PS.exe
- game_collection.exe
- Hacking.exe
- how_to_be_an_hacker.pif
- How_to_hack.exe
- Cheatgenerator.exe
- Icq_hack.exe
- ICQ_hacker.exe
- irc_bot_source.exe
- Jessica_alba_screensaver.scr
- Limewire_pro.exe
- msn_plus.exe
- nzm_bot.exe
- PhotoshopCS3.exe
- porn_%variable%.scr
- Porn_Jessica_Alba.exe
- Rapidshare_account.exe
- skype_unlimited.exe
- starcraft.exe
- starcraft_ghost.exe
- user.pif
- user_sucks.exe
- vb.net_ultra_worm.exe
- VB6_install.exe
- Vista_ultimate.exe
- Warcraft3+expansion.exe
- win_mediaplayer_11.exe
- Windows_faster_tutorial.exe
- Windows_NT.exe
- windows_7_full.exe
- Windows_Vista+Windows_7.exe
- Windows7_withSerial.exe
- WindowsVistaultimate.exe
- WinXp.exe
- WinXPpro.exe
- Worldofwarcraft_crack.exe
- worm_generator.exe
- WOW_account.exe
- yourmother.exe
- Youtube_video_converter.exe
- yugioh.exe
