Bat/Boohoo-A

Kategorie: Viren und Spyware Schutz verfügbar seit:31 Jul 2003 00:00:00 (GMT)
Typ: Batch file worm Zuletzt aktualisiert:31 Jul 2003 00:00:00 (GMT)
Verbreitung:

Download Kostenloses Virus Removal Tool downloaden – Finden Sie Bedrohungen, die Ihre Virenschutzsoftware übersehen hat

Bat/Boohoo-A is an internet worm that spreads via weakly protected network shares on Windows computers. The worm generates random IP numbers and uses a network scanner to scan these IP ranges for vulnerable computers.

The worm consists of the following files detected by Sophos Anti-Virus:
starter.bat
scan.bat
ip.bat
hacker.bat
Xecuter.bat
regkeyadd.REG

and the following benign files:
ntscan.exe (a vulnerability scanner)
HideRun.exe (a utility to start other programs hidden)
psexec.bat
rep.bat
service.exe
clearlogs.exe
Firedaemon.exe
CommonDlg32.dll
CYGWIN1.dll
drvrquery32.exe
psexec.exe
rep.EXE
random.exe
protmp.txt
proreset.txt
replace.txt
sys.txt
wm.txt
pro.gif

The files are copied to the Windows system32 folder on the remote compromised computer. The subfolders tmp and tmp1 are created inside the Windows system32 folder on the remote machine and the hidden attribute is set on the system32 folder. After the files are copied the worm is started remotely.

The worm starts the following services:
startupdll (startup script psexec.bat)
msnet (svhost.exe)
drvmanager (drvrquery32.exe)
serv-u (drvrquery32.exe)

Bat/Boohoo-A attempts to delete all LOG files from the root folders of drives C: and D: and uses the included clearlogs.exe application to clean system log files. The worm also attempts to remove the shares C$ to Z$.

Bat/Boohoo-A creates backup copies of several of its files:
drvrquery32.exe -< sys.bak
CommonDlg32.dll -< admini.bak
svhost.exe -< systemrun.bak
pro.gif -< sysdlladmin.bak
cygwin1.dll -< starterdll.bak

In order to run automatically on system startup Bat/Boohoo-A sets the following registry entries below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run:

drvrmanager = "C:\\winnt\\system32\\drvrquery32.exe /S"
HideRun.exe = "C:\\winnt\\system32\\HideRun.exe c:\\winnt\\system32\\svhost.exe c:\\winnt\\system32\\pro.gif"
Xecuter.bat = C:\\winnt\\system32\\psexec.bat"

The worm also sets the following network registry entries below
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters:
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000

Download Sophos Produkte kostenlos testen
Jetzt downloaden

© 1997 - 2012 Sophos Ltd. Alle Rechte vorbehalten. Rechtliche Hinweise Datenschutzrichtlinie Impressum