|
|
|
Top 10 malware reported to Sophos in April 2006
This section helps you to understand how it behaves
W32/Dolebot-A is an email and network worm with IRC backdoor functionality
for the Windows platform.
W32/Dolebot-A spreads to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
PNP (MS05-039) and ASN.1 (MS04-007).
W32/Dolebot-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over the
computer via IRC channels.
W32/Dolebot-A includes functionality to access the internet and communicate
with a remote server via HTTP.
Emails sent by W32/Dolebot-A sends emails in the following format, with
details
filled in to make the email look more authentic:
Subject:
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed"
"Important notification"
"Members support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"
Message:
"Dear <name> Member,
You have successfully updated the password of your <name> acccount.
If you did not authorize this change or if you need assistance with your
account, please contact <name> customer service at:
Thank you for using <name>!
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear user <name>,
It has come to our attention that your <name> User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using <name>.
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
We have temporarily suspended your email account <name>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription
due
to an internal error within our processors.
See the details to reactivate your <name> account.
Sincerely,The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel
your
membership.
Virtually yours,
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
Attachment name:
Important-details
Account-details
Email-details
Account-info
Document
Readme
Account-report
The attachments have a file extension of .doc, followed by many spaces, then
one of the following so that the file will be executed when opened:
Bat
Cmd
Exe
Pif
W32/Dolebot-A harvests email addresses from files on the infected computer
and from the Windows address book as well as the Microsoft Internet Account
Manager.
Recovery
Summary Description Recovery Advanced
This section tells you how to remove the threat.
Please follow the instructions for removing worms.
Advanced
Summary Description Recovery Advanced
This section is for technical experts who want to know more.
W32/Dolebot-A is an email and network worm with IRC backdoor functionality
for the Windows platform.
W32/Dolebot-A spreads to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
PNP (MS05-039) and ASN.1 (MS04-007).
W32/Dolebot-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over the
computer via IRC channels.
W32/Dolebot-A includes functionality to access the internet and communicate
with a remote server via HTTP.
Emails sent by W32/Dolebot-A sends emails in the following format, with
details
filled in to make the email look more authentic:
Subject:
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed"
"Important notification"
"Members support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"
Message:
"Dear <name> Member,
You have successfully updated the password of your <name> acccount.
If you did not authorize this change or if you need assistance with your
account, please contact <name> customer service at:
Thank you for using <name>!
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear user <name>,
It has come to our attention that your <name> User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using <name>.
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
We have temporarily suspended your email account <name>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription
due
to an internal error within our processors.
See the details to reactivate your <name> account.
Sincerely,The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel
your
membership.
Virtually yours,
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
Attachment name:
Important-details
Account-details
Email-details
Account-info
Document
Readme
Account-report
The attachments have a file extension of .doc, followed by many spaces, then
one of the following so that the file will be executed when opened:
Bat
Cmd
Exe
Pif
W32/Dolebot-A harvests email addresses from files on the infected computer
and from the Windows address book as well as the Microsoft Internet Account
Manager.
When first run W32/Dolebot-A copies itself to <Windows>\skype32.exe and
creates the file <System>\rofl.sys.
The file rofl.sys is detected as Troj/RKPort-A.
The file skype32.exe is registered as a new system driver service named "Skype",
with a display name of "Skype Messenger" and a startup type of automatic, so
that it is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Skype\
The file rofl.sys is registered as a new system driver service named "rofl",
with a display name of "rofl". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Dolebot-A sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardP
This section is for technical experts who want to know more.
W32/Dolebot-A is an email and network worm with IRC backdoor
functionality for the Windows platform.
W32/Dolebot-A spreads to other network computers by exploiting common buffer
overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012),
PNP (MS05-039) and ASN.1 (MS04-007).
W32/Dolebot-A runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over the
computer via IRC channels.
W32/Dolebot-A includes functionality to access the internet and communicate
with a remote server via HTTP.
Emails sent by W32/Dolebot-A sends emails in the following format, with
details
filled in to make the email look more authentic:
Subject:
"Your Account is Suspended"
"*DETECTED* Online User Violation"
"Your Account is Suspended For Security Reasons"
"Warning Message: Your services near to be closed"
"Important notification"
"Members support"
"Security measures"
"Email Account Suspension"
"Notice of account limitation"
Message:
"Dear <name> Member,
You have successfully updated the password of your <name> acccount.
If you did not authorize this change or if you need assistance with your
account, please contact <name> customer service at:
Thank you for using <name>!
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear user <name>,
It has come to our attention that your <name> User Profile ( x ) records are
out of date. For further details see the attached document.
Thank you for using <name>.
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
We have temporarily suspended your email account <name>.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription
due
to an internal error within our processors.
See the details to reactivate your <name> account.
Sincerely,The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
"Dear <name> Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages
during the recent week. If you could please take 5-10 minutes out of your
online experience and confirm the attached document so you will not run into
any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel
your
membership.
Virtually yours,
The <name> Support Team
+++ Attachment: No Virus (Clean)
+++ %s Antivirus - www.<name>"
Attachment name:
Important-details
Account-details
Email-details
Account-info
Document
Readme
Account-report
The attachments have a file extension of .doc, followed by many spaces, then
one of the following so that the file will be executed when opened:
Bat
Cmd
Exe
Pif
W32/Dolebot-A harvests email addresses from files on the infected computer
and from the Windows address book as well as the Microsoft Internet Account
Manager.
When first run W32/Dolebot-A copies itself to <Windows>\skype32.exe and
creates the file <System>\rofl.sys.
The file rofl.sys is detected as Troj/RKPort-A.
The file skype32.exe is registered as a new system driver service named "Skype",
with a display name of "Skype Messenger" and a startup type of automatic, so
that it is started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Skype\
The file rofl.sys is registered as a new system driver service named "rofl",
with a display name of "rofl". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\rofl\
W32/Dolebot-A sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardP
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
