Home > Cloud Computing > Cloud Security

Worm. Win32.Skipi. B Worm sample analysis

Source: Internet
Author: User
Tags bmp image
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

1. Virus labels:

Virus name: Worm. Win32.Skipi. B

Virus Type: Worm

File MD5: 9fc5fad65fb0dae7b5370607d103aa80

Public scope: full public

Hazard level: 5

File length: 188,416 bytes

Infected system: Windows 98 or later

Development tools: Microsoft Visual C ++ 7.0

Shelling type: no shell

2. Virus description:

The virus is a worm. an executable file with an extension of the scr icon disguised as a JPG icon. After running the virus, four copies of the virus will be generated in the system folder, open the Soap Bubbles.bmp image in the system folder, send the temptation message to spread through the Skype software, modify the host file, and shield the security software-related websites.

Iii. Behavior Analysis:

Local behavior:

1. the following files will be released after the file is run.

%System321_wndrivs32.exe 188,416 bytes
%System321_mshtmldat32.exe 188,416 bytes
Listen system321_sdrivew32.exe 188,416 bytes
Listen system321_winlgcvers.exe 188,416 bytes


2. Add a Registry

Add the following registry to enable automatic startup

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun


Registry Value: "Policies Options"

Type: REG_SZ

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce


Registry Value: "Services Start"

Type: REG_SZ

Value: mshtmldat32.exe

Network behavior:

Send the following temptation text via Skype to trick users into virus execution:

Pala biski
As net nezinau ka tavo vietoj daryciau.: S
Matai: D
;) Geras ane? Patinka?
Kas cia tavim taip isderge? =]
Cia tu isimetei?
Cia biski su photoshopu pazaidziau bet irgi gerai atrodai: D
Zek kur tavo foto metos isdergta
(Mm) kaip as taves noriu
Ziurek kur tavo foto imeciau: D esi?
Labas this (happy) sexy one
What ur friend name wich is in photo?
U happy?
Oh sry not for u
Oops sorry please dont look there: S
You checked? : D
(Rofl) (dedevil) :) really funny
Now u populr
Haha lol
I used photoshop and edited it
Look what crazy photo Tiffany sent to me, looks cool where I put ur
Photo: D
Your photos looks realy nice
Look
Hey how are u? :)


Modify host files to block security software-related websites and the following websites:

182.234.207.185 paitec.comsecurityresponse.tetec.com
250.148.178.107 www.symantec.comsecurityresponse.tetec.com
14.34.117.26 pandasoftware.com
64.43.84.20.www.pandasoftware.com
Listen 142.33.170 sophos.com
52.89.240.243 www.sophos.com
213.233.19.211 mcafee.com
182.83.73.57 www.mcafee.com
163.3.50.116 downloads-us1.kaspersky-labs.com
173.163.6.249 www.downloads-us1.kaspersky-labs.com
193.63.135.96 updates1.kaspersky-labs.com
Www.updates1.kaspersky-labs.com 127.166.52.175
Updates2.kaspersky-labs.com 72.19.192.219
153.12.194.140 www.updates2.kaspersky-labs.com
152.139.174.33 updates3.kaspersky-labs.com
Www.updates3.kaspersky-labs.com 237.92.4.244
211.198.199.223 updates4.kaspersky-labs.com
Www.updates4.kaspersky-labs.com 111.109.49.255
Updates5.kaspersky-labs.com 96.119.165.183
Www.updates5.kaspersky-labs.com 151.238.229.248
Downloads1.kaspersky-labs.com 105.101.133.192
226.223.160.225 www.downloads1.kaspersky-labs.com
93.236.201.4 downloads2.kaspersky-labs.com
81.21.68.237 www.downloads2.kaspersky-labs.com
Downloads3.kaspersky-labs.com 110.122.119.1
Www.downloads3.kaspersky-labs.com 233.186.155.5
42619.183.40 downloads4.kaspersky-labs.com
49.203.207.68 www.downloads4.kaspersky-labs.com
136.206.88.97 downloads5.kaspersky-labs.com
183.152.240.123 www.downloads5.kaspersky-labs.com
74.85.76.20.ftp.downloads1.kaspersky-labs.com
Www.ftp.downloads1.kaspersky-labs.com 139.71.114.173
155.105.40.226 ftp.downloads2.kaspersky-labs.com
Www.ftp.downloads2.kaspersky-labs.com 194.82.172.147
4.91.165.186 ftp.downloads3.kaspersky-labs.com
245.4.90.26 www.ftp.downloads3.kaspersky-labs.com
206.148.34.196 ftp.downloads4.kaspersky-labs.com
191.0.27.w.www.ftp.downloads4.kaspersky-labs.com
135.14.31.170 ftp.downloads5.kaspersky-labs.com
Www.ftp.downloads5.kaspersky-labs.com 67.186.244.187
Dnl-us3.kaspersky-labs.com 131.217.195.138
163.252.204.50 www.dnl-us3.kaspersky-labs.com
89.151.87.118 dnl-us4.kaspersky-labs.com
13. 99.238.2 www.dnl-us4.kaspersky-labs.com
Dnl-us5.kaspersky-labs.com 98.0.201.243
Www.dnl-us5.kaspersky-labs.com 163.223.138.154
61.95.43.125 dnl-us6.kaspersky-labs.com
32.54.52.159 www.dnl-us6.kaspersky-labs.com
Dnl-us7.kaspersky-labs.com 78.19.49.2
Www.dnl-us7.kaspersky-labs.com 52.130.99.105
Dnl-us8.kaspersky-labs.com 58.15.182.98
153.174.243.132 www.dnl-us8.kaspersky-labs.com
108.90.55.246 kaspersky.ru
11.253.164.49 www.kaspersky.ru
148.144.86.6 msk1.drweb.com
202.131.152.226 www.msk1.drweb.com
35.95.88.81 msk2.drweb.com
28.170.217.193 www.msk2.drweb.com
208.11.168.20.msk3.drweb.com
201.174.209.41 www.msk3.drweb.com
22.234.82.211 msk4.drweb.com
157.33.208.43 www.msk4.drweb.com
179.232.137.76 boss.drweb.comdrweb.com
234.104.138.11 www.boss.drweb.comdrweb.com
42.4.34.127 liveupdate.paitecliveupdate.com
4.61.150.193 www.liveupdate.symantecliveupdate.com
66.210.22.240 viruslist.com
195.43.240.120 www.viruslist.com
134.247.4.148 security.tetec.com
4.21.120.18 www.security.tetec.com
195.176.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
koobface worm worm eradicator worm boots cartoon worm worm spyware computer worm trojan worm removal
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More