View Single Post
Eski 11-05-04, 12:11
horde_1 horde_1 çevrimdışı
Talking sasser in ilacı(W32.Cycle)

hayırlı olsun...............
blaster
sasser
ve
skynette etkilerini silenyeni virus......biri dalga geciyor


teknik detaylar
-----------------------------------------------
When W32.Cycle is executed, it performs the following actions:


Creates the following files:
%Windir%\cyclone.txt
%Windir%\system\svchost.exe (a copy of the worm)


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Ends the following processes:
msblast.exe
avserve.exe
avserve2.exe
skynetave.exe


Creates the following mutexes:
SkynetSasserVersionWithPingFast
Jobaka3l
JumpallsNlsTillt
Jobaka3


If the system clock's date is set to May 18, it will perform Denial of Service (DoS) attacks against www.irna.com and www.bbcnews.com.


Opens a backdoor on TCP port 3332. This backdoor does not have an apparent function. It immediately closes any connection that it has made.


Runs a TFTP server on UDP port 69, which will send a copy of the worm to the processes connecting to that port.


Generates a random IP address and attempts to connect to TCP port 445 on any computer at the IP address.


Runs a remote shell, which downloads a copy of the worm from the TFTP server on UDP port 69, and then runs it. This requires that there is a TFTP client named "tftp" in the path of the computer, on which the remote shell runs.

The name of the downloaded file is cyclone.exe.


When the downloaded file runs, it may modify the value:

"Generic Host Service"="%windir%\system\svchost.exe"

in the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run