Around December 13, 2002 by unknown attackers in Chernivtsi distributed, and possibly in other Ukrainian cities entirely new virus hacker, belonging to the family of so-called Backdoor-virus. Many businesses and organizations of the city suffered damage as a result of infecting computers with the virus.
Viruses of this type are malicious programs that steal confidential information from infected machines (with the virus on anlogii Badtrans.B, described in the release of my VirInfo_07) and thus also open access via Internet hackers to all hard drives, your car, which they (hackers) can dispose of your information as they wish: copy it, delete, block work on the Internet, and many others are detailed below describe the virusBackdoor.Chernovtsy.2002 (virus writers named it System Manager 1/2 , as evidenced by a fragment of text [string "copyright"], the presence of all components of malicious programs, including its distribution).
Criminals send out an e-mail message as a HTML-page (just her body does not contain absolutely no malicious code) that contains a link where users can supposedly get to the most popular site for vehicles (a false link), software archives of Ukraine (actually a software site), and also download a number of "telephone directory" of Ukrainian cities for 2002. However, these links were just bait for users, none of the references to "telephone directory" did not fire, but one of the "telephone directory" in Chernovtsy in 2002 I myself once bought into it by uploading to the link directory of our City ... The virus was detected only after 2 days becauseactivated quite easy and works secretly ...
First of innocuous message: In the "From": UFA Topic message: Telephone Directory (fixes + additions)No application message does not contain. Address "sender" in reality did not exist, because message was generated by a special hacking software, which allows not only the shell of the message, but in his body (in the line "Return-Path" - return address) to register any address. The message was given a number of links, which supposedly you can download the telephone directories of cities of Ukraine as Kiev, Dnepropetrovsk, Nikolaev, etc., including Chernivtsi. If none of these options did not work, other than that indicated on file with the Chernivtsi telephone directory.
Uploading the link http://www.cv-soft.siteid.net/files/tel2002.exe (now removed the malicious) file tel2002.exesize 425 984 bytes , the user is actually pumped distribution (program installer) malware. Once the user launches the file with his own, an icon
Regardless of what kind of options the user chooses, the Trojan installs itself to the system. In this case, if the user specifies a way to unpack the archive and imaginary clicks the option " Eject ", the Trojan displays a fake error message unpacked:
If the user selects the option " Button1 ", the virus produces more false report:
If the user selects " Cancel "or simply closes the program menu, then the Trojan installs itself to the system without giving any messages at the same time.
The virus is written in C + +. It consists of two twin components, which are the same as the program installer,have a size of 425,984 bytes each , as well as file attributes and modification date, corresponding to the program, the installer (the date of last modification corresponds to the end of its downloading from the Internet a user's machine). Differ from the components of the program, the installer only fragments of machine code (a manifestation of polymorphism). Both components are written into the system subdirectory of C: \ WINDOWSunder the names config.exe and sysman.exe .
To be able to enhance its on every system startup Trojan registers in the registry autorun key component of its Config.exe . The key is named " System "and it looks like Windows 9X/ME Trojan additionally prescribes a link to the file sysman.exe in the system file system.ini , also located in the directory C: \ WINDOWS. Link is established in section [boot] prompt in the system's shell startup Explorer. The modified virus is the following line: [boot] Shell = Explorer.exe sysman.exe Through this link, component sysman.exe activated on every system startup as auxiliary module System Application Explorer. Thus, despite its activity during work under Windows, this component is not included in any of the official list of active processes on the system, while remaining completely unnoticed. In addition, it runs at startup components Config.exe , pre-coded program-blocking installer autorun key above; Config.exe loaded into the computer memory and then terminates the process of system memory " sysman.exe ". Thanks to this method of activation with component sysman.exe , component config.exe also does not appear in any of the official list of active processes on the system (which is why I found the virus only after almost 2 days), while remaining resident in system memory up to shut down Windows.
Virus manifests itself only at the time the connection to the Internet, giving a false report anything unnecessary to knock down Users confused:
In addition to displaying the message does seem more virus does not manifest itself in the car.
Component config.exe fish out of the system of sensitive customer data: the password to log into Windows (if any), username and password to access the Internet, your network password (if there is ), computer name, current IP-address of the machine on the Internet, and some other things. All of these data places the virus in an encrypted form in a temporary file (file name I have not found the body of the virus - most likely, it generates them randomly), which is attached to the generated virus message with the subject " 02.01: File for you ". The message is HTML-format and, apparently, is sent to hackers using the postal service MS Outlook, if installed in the system, otherwise, the worm uses direct connection to the SMTP-server Internet service provider (the logical server sent messages) and sends a message independently.
Viral message is sent to the following addresses Chernivtsi users: chpost@cv.ukrtel.net - Post Office Chernovtsy; dispetcher@tk.cv.ua - dispatching; nbm@chv.ukrpack.net - TV and radio channel NBM;passage@unicom.cv.ua - shop "Passage"; weekend@west.com.ua - travel agency; molbuk@sacura.net- the newspaper "Young bukovinets." users of these machines would probably not even suspect that that their mailboxes are used by hackers to steal confidential information of transit around the city. The fact that the virus sends stolen data to the specified addresses only at night (ie, only when the infected machines are located on the Internet at a certain time period the night, that determines the Trojan on the system timer), when the above companies and organizations already finished and their mailboxes are 100% verified but not the rightful owners. That's when hackers and looked into these mailboxes, cracked in some way, obviously long before the creation of malicious code, and picked up a virus sent messages with attachments above.Here attackers played into the hands of the fact that no one server Chernivtsi companies Internet service providers do not have CallBack - Checker except username and password yet, and telephone number from which you are trying to connect to the server provider. As a result, stealing customer data and using it, hackers can connect with any telephone number. In addition to the above addresses of users, all the retrieved information translates the virus: - unknown to the machine administrator, located in the server subnet Infocom
212.1.104. ; - by e-mail addresses of hackers who read from a file Trojan info.txt , causing their contents to view the links
http://vhsoft.boom.ru/files/info.txt (was located on one of the pages of the server "MAIL.RU") andhttp://vhsoft.tripod.com/files/info.txt (was located in one of the pages on your company's server "TRIPOD").These files contained at the time these two addresses: vhsoft@softhome.net (apparently, is the base, as registered in the body of the virus) and vhsoft@netbox.ru . This method is extremely useful: a list of hackers' email addresses in files info.txt you can always expand and change, while eliminating the need to make these changes every time the code directly into the malicious program. All the information you have sent the virus from the infected machine, it stores the encrypted form in the file Send.dat , written in one of the subdirectories Windows-systems and checks before sending the contents of the next data file, placed in a temporary file for later broadcast on all of the above address and hacking machine.
The virus is endowed with the capacity upgrade themselves over the Internet (ie, update its components).Component sysman.exe can be updated with a newer version, which causes the virus to some server. The updated component is called vprupdate.exe . This file as the original component sysman.exe , the Trojan registers under Windows 9X/ME created them in the new system file system1.ini , also located in the directory C: \ WINDOWS, the section [boot] shell startup line in Explorer. Modified line looks like this: [boot]Shell = Explorer.exe vprupdate.exe The virus produces a systemic re-registration system file system.ini insystem1.ini in hidden auto-run keys system and replaces the old name of the component sysman.exe bysysman. run , after which the old files system.ini and sysman.run are nothing more than garbage software.These changes will take effect after the first reboot the system - that is something only time and use the aforementioned key autorun prescribed malware component Config.exe .
Depending on the number of undefined terms, the components of the virus can produce a variety of unauthorized activities in relation to your information, such as: - append / see files, "cookies" (information about URL-references contained in the files subdirectory of the hidden system "Cookies", if conservation those allowed by system security settings of Internet browser) - create subdirectories in the system additional filestempinfo.dat and msconfig.dat with their own configurations; - ask any http-server (links are encoded in the virus body) - to listen to a given port TCP / IP-protocol (receive commands from a remote hacker server) - set in a remote system administrator rights to a specially created section of the key [HKEY_CURRENT_USER \ Software \ Microsoft \ Protected Storage System Provider] , then all of your information may be available through a network of criminals Internet: they can browse it, copy, delete, etc. In addition, even after removing the virus from the machine and the substitution of confidential user data (login, password and network computer name) machine in a few minutes after logging in to the Internet may be subject to compulsory zaveshivaniyu. This is manifested in the following way: hang and start alternately unloaded from memory all the open applications, the system error messages in applications, after which the shell is unloaded and Explorera computer finally crashes.
Safe on the Internet after removing the virus.
The Trojan was sent to explore and connect to certain anti-virus database from antivirus companies. Since January 2005, the name of the nomenclature of components and the installer of the virus some of the antivirus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus : Trojan-PSW.Win32.Delf.am (included in the anti-virus database 24/12/2002) Anti- Trend PC-cillin :Trojan_PSW.DELF . AM (included in the anti-virus database 12/26/2002) Kaspersky BitDefender Professional : Trojan.SyMan.A (included in the anti-virus database in anti-virus database 14/03/2003) It is obvious that an updated component of the virus vprupdate.exe not detected in any of the above anti-virus, asinstalls malware, exclusively via the Internet. In my car and was not detected, for which reason could not be sent for study to antivirus companies. Therefore, detection can only be removed by hand. For users that find themselves in the system and the virus detected by the vprupdate.exe , please send me an e-mail a copy to study. After all the Trojans from the system directory C: \ WINDOWS must be logged into the same directory in the file system system.ini (or system1.ini ) and remove the text link " sysman.exe "(or, respectively,"vprupdate.exe ") from the section [boot] (only under Windows 9X/ME). After that the normal form of section lines must be so: [boot] Shell = Explorer.exe is recommended to change all passwords used in the system (such as a password to connect to the Internet), as well as bank account numbers, if the information was stored in a computer at the time of infection.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 16.12.2002
Date of last change: 04.03.2005
Credits: Denis Vasiliev for correction of some technical details of
the description Author: Broido Herman (aka VirusHunter)
No comments:
Post a Comment