This is the latest variant of Worm_Downad.It exploits software vulnerabilities to propagate to other computers across a network. This Worm may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
Effects:
1) It creates a file with a random filename under with .DLL extension in system folder.
2) It is injected into the following processes running in memory:
- services.exe
- svchost.exe -k NetworkService
- Global\{random number}-{random number}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
ImagePath = "%System%\svchost.exe -k netsvcs"
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters
ServiceDll = "{malware path and file name}"
6) It mainly exploits the Server Service Vulnerability like its parent version that could allow remote code execution.
7) It downloads routines from different malicious websites
8) It monitors browsers address bar and blocks access to certain websites.
0 comments:
Post a Comment