NAGGAROK

Virus: Worm/IRCBot.9609
CME number: 482
Date discovered: 13/08/2006
Type: Worm
In the wild: Yes
Reported Infections: Low
Distribution Potential: Medium to high
Damage Potential: Medium
Static file: Yes
File size: 9.609 Bytes
MD5 checksum: 9928A1E6601CF00D0B7826D13FB556F0
VDF version: 6.35.01.85
IVDF version: 6.35.01.85

General Methods of propagation:
   • Local network
   • Messenger


Aliases:
   •  Symantec: Backdoor.IRC.Bot
   •  Mcafee: IRC-Mocbot!MS06-040
   •  Kaspersky: Backdoor.Win32.IRCBot.st
   •  TrendMicro: WORM_IRCBOT.JK
   •  F-Secure: Backdoor.Win32.IRCBot.st


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

Files It copies itself to the following location:
   • %SYSDIR%\wgareg.exe



It deletes the initially executed copy of itself.

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %SYSDIR%\wgareg.exe
   • DisplayName = Windows Genuine Advantage Registration Service
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum]
   • 0 = Root\LEGACY_WGAREG\0000
   • Count = 1
   • NextInstance = 1



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
   Old value:
   • EnableDCOM = %user defined settings%
   New value:
   • EnableDCOM = n

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • restrictanonymous = %user defined settings%
   • restrictanonymoussam = %user defined settings%
   New value:
   • restrictanonymous = 1
   • restrictanonymoussam = 1

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   New value:
   • autoshareserver = 0
   • autosharewks = 0

– [HKLM\SOFTWARE\Microsoft\security center]
   Old value:
   • antivirusdisablenotify = %user defined settings%
   • antivirusoverride = %user defined settings%
   • firewalldisablenotify = %user defined settings%
   • firewalldisableoverride = %user defined settings%
   New value:
   • antivirusdisablenotify = 1
   • antivirusoverride = 1
   • firewalldisablenotify = 1
   • firewalldisableoverride = 1

Deactivate Windows XP Firewall:
– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]
   Old value:
   • enablefirewall = %user defined settings%
   New value:
   • enablefirewall = 0

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • Start = %user defined settings%
   New value:
   • Start = 4

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploit:
–MS06-040 (Vulnerability in Server Service)

IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: bniu.house**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1

Server: ypgw.wall**********
Port: 18067
Channel: #n1
Nickname: n1-%random character string%
Password: nert4mp1


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Download file
    • Execute file
    • Start spreading routine

Miscellaneous Mutex:
It creates the following Mutex:
   • wgareg

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.


Inserted by Philipp Wolf on Sun, 13 Aug 2006 15:49 (GMT+1)
Updated by Andrei Gherman on Mon, 14 Aug 2006 13:00 (GMT+1)


楼主说的应该是这个吧。。可耻的瑞星。。比人家老外的晚了一天。。难怪只好意思说是国内率先。。。

NAGGAROK

原帖由 眼眼12 于 2006-8-15 01:37 发表

他说产品超过许可的升级次数．．无法升级
请等待新版本升级注意１套产品仅授权在１台机器上使用

-_,-用我的这个吧。。虽说是国外的免费软件。。但是发现这个病毒升级病毒库比瑞星还要快一天。。

NAGGAROK

解决办法：

1、删除系统目录下的wgareg.exe/wgavm.exe

2、删除注册表项目[HKLM\SYSTEM\CurrentControlSet\Services\wgareg]、[HKLM\SYSTEM\CurrentControlSet\Services\wgavm] 、 [HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Security]、[HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Security]、[HKLM\SYSTEM\CurrentControlSet\Services\wgavm\Enum]、 [HKLM\SYSTEM\CurrentControlSet\Services\wgareg\Enum]

NAGGAROK

3、将注册表中的[HKLM\SOFTWARE\Microsoft\Ole]中 EnableDCOM 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]中restrictanonymous 改为 %user defined settings% 、restrictanonymoussam 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]中删除autoshareserver = 0和autosharewks = 0
[HKLM\SOFTWARE\Microsoft\security center]中antivirusdisablenotify  、antivirusoverride 、firewalldisablenotify 、firewalldisableoverride 均改为 “%user defined settings%”
[HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile]中enablefirewall 改为 %user defined settings%
[HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile]中enablefirewall 改为 %user defined settings%
[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]中Start 改为 %user defined settings%

NAGGAROK

原帖由 眼眼12 于 2006-8-15 01:53 发表
２个都太深奥
２０楼的
那个我怎么找不到wgareg.exe/wgavm.exe
第２步怎么删除注册表里面的东西

一般都在系统盘windows或者windows\system32目录下，可能是隐藏文件，先在进程管理其中结束相应进程再删除

注册表在开始菜单运行里输入regedit展开相应的在上面点右键有删除选项

NAGGAROK

[HKLM]指的是[HKEY-LOCAL-MACHINE]

NAGGAROK

原帖由 wowshell 于 2006-8-15 01:57 发表

一般人看到会晕倒

=。=那要是去看12楼的呢？[goda]

NAGGAROK

说实话那么多鸟语我看得都头痛。。睡觉去。。呼啊啊~~。