W32.Netsad.F.worm
Pagina 1 di 1
W32.Netsad.F.worm
CARTA D'IDENTITA'
Tipo di minaccia: worm
Colpisce i sistemi operativi: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
* Distribuzione geografica: Bassa
* Contenimento della minaccia: Facile
* Rimozione: Facile
COSA FA
Netsad.F è un worm che termina i processi il cui nome contiene certe stringhe di testo. Questi processi appartengono a importanti strumenti di sicurezza, come software antivirus e firewall. Il worm si diffonde via mail e attraverso programmi di file sharing. COSA FA
Una volta eseguito, effettua le seguenti operazioni:
* Termina i processi che contengono queste stringhe di testo:
ACKWIN32, ADAWARE, ADVXDWIN, AGENTSVR, AGENTW, ALERTSVC, ALEVIR, ALOGSERV, AMON9X, ANTIVIRUS, ANTS, APIMONITOR, APLICA32, APVXDWIN, ATCON, ATRO55EN, ATUPDATER, ATWATCH, AUPDATE, AUTODOWN, AUTOTRACE, AUTOUPDATE, AVCONSOL, AVE32, AVGCC32, AVGCTRL, AVGNT, AVGSERV, AVGSERV9, AVGW, AVKPOP, AVKSERV, AVKSERVICE, AVKWCTl9, AVLTMAIN, AVNT, AVP32, AVPCC, AVPDOS32, AVPM, AVPTC32, AVPUPD, AVSCHED32, AVSYNMGR, AVWINNT, AVWUPD, AVWUPD32, AVWUPSRV, AVXMONITOR9X, AVXMONITORNT, AVXQUAR, BACKWEB, BARGAINS, BD_PROFESSIONAL, BEAGLE, BELT, BIDEF, BIDSERVER, BIPCP, BIPCPEVALSETUP, BLACKD, BLACKICE, BOOTCONF, BOOTWARN, BORG2, BRASIL, BS120, BUNDLE, CCAPP, CCEVTMGR, CCPXYSVC, CFGWIZ, CFIADMIN, CFIAUDIT, CFINET, CFINET32, CLEAN, CLEANER, CLEANER3, CLEANPC, CLICK, CMD32, CMESYS, CMGRDIAN, CMON016, CONNECTIONMONITOR, CPF9X206, CPFNT206, CTRL, CWNB181, CWNTDWMO, IEXPLORER, IFACE, IFW2000, INETLNFO, INFUS, INFWIN, INIT, INTDEL, INTREN, IOMON98, ISTSVC, JAMMER, JDBGMRG, JEDI, KAVLITE40ENG, KAVPERS40ENG, KAVPF, KAZZA, KEENVALUE, KERNEL32, KILLPROCESSSETUP161, LAUNCHER, LDNETMON, LDPRO, LDPROMENU, LDSCAN, LNETINFO, LOADER, LOCALNET, LOCKDOWN, LOCKDOWN2000, LOOKOUT, LORDPE, LSETUP, LUALL, LUAU, LUCOMSERVER, LUINIT, LUSPT, MAPISVC32, MCAGENT, MCMNHDLR, MCSHIELD, MCTOOL, MCUPDATE, MCVSRTE, MCVSSHLD, MFIN32, MFW2EN, MFWENG3.02D30, MGAVRTCL, MGAVRTE, MGHTML, MGUI, MINILOG, MONITOR, MOOLIVE, MOSTAT, MPFAGENT, MPFSERVICE, MPFTRAY, MRFLUX, MSAPP, MSBB, MSBLAST, MSCACHE, MSCCN32, MSCMAN, MSCONFIG, MSDM, MSDOS, MSIEXEC16, MSINFO32, MSLAUGH, MSMGT, MSMSGRI32, MSSMMC32, MSSYS, MSVXD, MU0311AD, MWATCH, N32SCANW, NAVAP.NAVAPSVC, NAVAPSVC, NAVAPW32, NAVDX, NAVLU32, NAVNT, NAVSTUB, NAVW32, NAVWNT, NC2000, NCINST4, NDD32, NEOMONITOR, NEOWATCHLOG, NETARMOR, NETD32, NETINFO, NETMON, NETSCANPRO, NETSTAT, NETUTILS, NISSERV, NISUM, NMAIN, NOD32, NORMIST, NORTON_INTERNET_SECU_3.0_407, NOTSTART, NPF40_TW_98_NT_ME_2K, NPFMESSENGER, NPROTECT, NPSCHECK, NPSSVC, NSCHED32, NSSYS32, NSTASK32, NSUPDATE, NTRTSCAN, NTVDM, NTXconfig, NUPGRADE, NVARCH16, NVC95, NVSVC32, NWINST4, NWSERVICE, NWTOOL16, OLLYDBG, ONSRVR, OPTIMIZE, OSTRONET, OTFIX, OUTPOST, OUTPOSTINSTALL, OUTPOSTPROINSTALL, PADMIN, PANIXK, PATCH, PAVCL, PAVPROXY, PAVSCHED, PCFWALLICON, PCIP10117_0, PCSCAN, PDSETUP, PERISCOPE, PERSFW, PERSWF, PFWADMIN, PGMONITR, PINGSCAN, PLATIN, POP3TRAP, POPROXY, POPSCAN, PORTDETECTIVE, PORTMONITOR, POWERSCAN, PPINUPDT, PPTBC, PPVSTOP, PRIZESURFER, PRMVR, PROCDUMP, PROCESSMONITOR, PROCEXPLORERV1.0, PROGRAMAUDITOR, PROPORT, PROTECTX, PURGE, QCONSOLE, QSERVER, RAPAPP, RAV7WIN, RAV8WIN32ENG, RCSYNC, REALMON, REGED, REGEDIT, REGEDT32, RESCUE, RESCUE32, RRGUARD, RSHELL, RTVSCAN, RTVSCN95, RULAUNCH, RUN32DLL, RUNDLL, RUNDLL16, RUXDLL32, SAFEWEB, SAHAGENT, SAVENOW, SBSERV, SCAM32, SCAN32, SCAN95, SCANPM, SCRSCAN, SETUP_FLOWPROTECTOR_US, SETUPVAMEEVAL, SGSSFW32, SHELLSPYINSTALL, SHOWBEHIND, SMSS32, SPERM, SPHINX, SPOLER, SPOOLCV, SPOOLSV32, SPYXX, SREXE, SS3EDIT, SSG_4104, SSGRATE, START, STCLOADER, SUPFTRL, SUPPORT, SUPPORTER5, SVCHOSTC, SVCHOSTS, SVSHOST, SWEEP95, SWEEPNET.SWEEPSRV.SYS.SWNETSUP, SYMPROXYSVC, SYMTRAY, SYSEDIT, SYSTEM, SYSTEM32, SYSUPD, TASKMG, TASKMO, TASKMON, TAUMON, TBSCAN, TEEKIDS, TFAK5, TGBOB, TITANIN, TITANINXP, TRACERT, TRICKLER, TRJSCAN, TRJSETUP, TROJANTRAP3, TSADBOT, TVTMD, UNDOBOOT, UPDAT, UPDATE, UPGRAD, UTPOST, VBCMSERV, VBCONS, VBUST, VBWIN9X, VBWINNTW, VCSETUP, VET32, VET95.
* Impedisce all'utente di visitare i seguenti siti, che appartengono a importanti compagnie di sicurezza:
avg.com
download.mcafee.com
google.com
mcafee.com
pandasoftware.com
symantec.com
trendmicro.com
update.symantec.com
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.AmirCivil.com
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.avg.com
www.bbc.com
www.bbsh.org
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.calderwoodinn.com
www.celula.com.mx
www.ceskyhosting.cz
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.chinasenfa.com
www.DarrkSydebaby.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.download.mcafee.com
www.dragcar.com
www.ecofotos.com.br
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.FritoPie.NET
www.google.com
www.mcafee.com
www.microsoft.com
www.pandasoftware.com
www.symantec.com
www.trendmicro.com
www.update.symantec.com
www.viruslist.com
www.yahoo.com
yahoo.com
Netsad.F crea i seguenti file, che sono copie di se stesso:
* SVCHOST32.DLL.EXE e WINUSER32.CAB.EXE nella cartella windows system.
* Copia se stesso in tutte le cartelle dell'hard disk.
Netsad.F crea le seguenti chiavi nel registro:
* HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run winbase32.cab = %sysdir%\svchost32.DLL.exe
* HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run svchost.cab.dll = %sysdir%\winuser32.cab.exe
COME RIMUOVERLO
1. Disattivare il Ripristino configurazione di sistema.
2. Aggiornare il proprio antivirus.
3. Eseguire una scansione completa del sistema in modalità provvisoria.
Tipo di minaccia: worm
Colpisce i sistemi operativi: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
* Distribuzione geografica: Bassa
* Contenimento della minaccia: Facile
* Rimozione: Facile
COSA FA
Netsad.F è un worm che termina i processi il cui nome contiene certe stringhe di testo. Questi processi appartengono a importanti strumenti di sicurezza, come software antivirus e firewall. Il worm si diffonde via mail e attraverso programmi di file sharing. COSA FA
Una volta eseguito, effettua le seguenti operazioni:
* Termina i processi che contengono queste stringhe di testo:
ACKWIN32, ADAWARE, ADVXDWIN, AGENTSVR, AGENTW, ALERTSVC, ALEVIR, ALOGSERV, AMON9X, ANTIVIRUS, ANTS, APIMONITOR, APLICA32, APVXDWIN, ATCON, ATRO55EN, ATUPDATER, ATWATCH, AUPDATE, AUTODOWN, AUTOTRACE, AUTOUPDATE, AVCONSOL, AVE32, AVGCC32, AVGCTRL, AVGNT, AVGSERV, AVGSERV9, AVGW, AVKPOP, AVKSERV, AVKSERVICE, AVKWCTl9, AVLTMAIN, AVNT, AVP32, AVPCC, AVPDOS32, AVPM, AVPTC32, AVPUPD, AVSCHED32, AVSYNMGR, AVWINNT, AVWUPD, AVWUPD32, AVWUPSRV, AVXMONITOR9X, AVXMONITORNT, AVXQUAR, BACKWEB, BARGAINS, BD_PROFESSIONAL, BEAGLE, BELT, BIDEF, BIDSERVER, BIPCP, BIPCPEVALSETUP, BLACKD, BLACKICE, BOOTCONF, BOOTWARN, BORG2, BRASIL, BS120, BUNDLE, CCAPP, CCEVTMGR, CCPXYSVC, CFGWIZ, CFIADMIN, CFIAUDIT, CFINET, CFINET32, CLEAN, CLEANER, CLEANER3, CLEANPC, CLICK, CMD32, CMESYS, CMGRDIAN, CMON016, CONNECTIONMONITOR, CPF9X206, CPFNT206, CTRL, CWNB181, CWNTDWMO, IEXPLORER, IFACE, IFW2000, INETLNFO, INFUS, INFWIN, INIT, INTDEL, INTREN, IOMON98, ISTSVC, JAMMER, JDBGMRG, JEDI, KAVLITE40ENG, KAVPERS40ENG, KAVPF, KAZZA, KEENVALUE, KERNEL32, KILLPROCESSSETUP161, LAUNCHER, LDNETMON, LDPRO, LDPROMENU, LDSCAN, LNETINFO, LOADER, LOCALNET, LOCKDOWN, LOCKDOWN2000, LOOKOUT, LORDPE, LSETUP, LUALL, LUAU, LUCOMSERVER, LUINIT, LUSPT, MAPISVC32, MCAGENT, MCMNHDLR, MCSHIELD, MCTOOL, MCUPDATE, MCVSRTE, MCVSSHLD, MFIN32, MFW2EN, MFWENG3.02D30, MGAVRTCL, MGAVRTE, MGHTML, MGUI, MINILOG, MONITOR, MOOLIVE, MOSTAT, MPFAGENT, MPFSERVICE, MPFTRAY, MRFLUX, MSAPP, MSBB, MSBLAST, MSCACHE, MSCCN32, MSCMAN, MSCONFIG, MSDM, MSDOS, MSIEXEC16, MSINFO32, MSLAUGH, MSMGT, MSMSGRI32, MSSMMC32, MSSYS, MSVXD, MU0311AD, MWATCH, N32SCANW, NAVAP.NAVAPSVC, NAVAPSVC, NAVAPW32, NAVDX, NAVLU32, NAVNT, NAVSTUB, NAVW32, NAVWNT, NC2000, NCINST4, NDD32, NEOMONITOR, NEOWATCHLOG, NETARMOR, NETD32, NETINFO, NETMON, NETSCANPRO, NETSTAT, NETUTILS, NISSERV, NISUM, NMAIN, NOD32, NORMIST, NORTON_INTERNET_SECU_3.0_407, NOTSTART, NPF40_TW_98_NT_ME_2K, NPFMESSENGER, NPROTECT, NPSCHECK, NPSSVC, NSCHED32, NSSYS32, NSTASK32, NSUPDATE, NTRTSCAN, NTVDM, NTXconfig, NUPGRADE, NVARCH16, NVC95, NVSVC32, NWINST4, NWSERVICE, NWTOOL16, OLLYDBG, ONSRVR, OPTIMIZE, OSTRONET, OTFIX, OUTPOST, OUTPOSTINSTALL, OUTPOSTPROINSTALL, PADMIN, PANIXK, PATCH, PAVCL, PAVPROXY, PAVSCHED, PCFWALLICON, PCIP10117_0, PCSCAN, PDSETUP, PERISCOPE, PERSFW, PERSWF, PFWADMIN, PGMONITR, PINGSCAN, PLATIN, POP3TRAP, POPROXY, POPSCAN, PORTDETECTIVE, PORTMONITOR, POWERSCAN, PPINUPDT, PPTBC, PPVSTOP, PRIZESURFER, PRMVR, PROCDUMP, PROCESSMONITOR, PROCEXPLORERV1.0, PROGRAMAUDITOR, PROPORT, PROTECTX, PURGE, QCONSOLE, QSERVER, RAPAPP, RAV7WIN, RAV8WIN32ENG, RCSYNC, REALMON, REGED, REGEDIT, REGEDT32, RESCUE, RESCUE32, RRGUARD, RSHELL, RTVSCAN, RTVSCN95, RULAUNCH, RUN32DLL, RUNDLL, RUNDLL16, RUXDLL32, SAFEWEB, SAHAGENT, SAVENOW, SBSERV, SCAM32, SCAN32, SCAN95, SCANPM, SCRSCAN, SETUP_FLOWPROTECTOR_US, SETUPVAMEEVAL, SGSSFW32, SHELLSPYINSTALL, SHOWBEHIND, SMSS32, SPERM, SPHINX, SPOLER, SPOOLCV, SPOOLSV32, SPYXX, SREXE, SS3EDIT, SSG_4104, SSGRATE, START, STCLOADER, SUPFTRL, SUPPORT, SUPPORTER5, SVCHOSTC, SVCHOSTS, SVSHOST, SWEEP95, SWEEPNET.SWEEPSRV.SYS.SWNETSUP, SYMPROXYSVC, SYMTRAY, SYSEDIT, SYSTEM, SYSTEM32, SYSUPD, TASKMG, TASKMO, TASKMON, TAUMON, TBSCAN, TEEKIDS, TFAK5, TGBOB, TITANIN, TITANINXP, TRACERT, TRICKLER, TRJSCAN, TRJSETUP, TROJANTRAP3, TSADBOT, TVTMD, UNDOBOOT, UPDAT, UPDATE, UPGRAD, UTPOST, VBCMSERV, VBCONS, VBUST, VBWIN9X, VBWINNTW, VCSETUP, VET32, VET95.
* Impedisce all'utente di visitare i seguenti siti, che appartengono a importanti compagnie di sicurezza:
avg.com
download.mcafee.com
google.com
mcafee.com
pandasoftware.com
symantec.com
trendmicro.com
update.symantec.com
www.adhdtests.com
www.aegee.org
www.aimcenter.net
www.alupass.lu
www.amanit.ru
www.AmirCivil.com
www.andara.com
www.angelartsanctuary.com
www.anthonyflanagan.com
www.approved1stmortgage.com
www.argontech.net
www.asianfestival.nl
www.atlantisteste.hpg.com.br
www.avg.com
www.bbc.com
www.bbsh.org
www.boneheadmusic.com
www.bottombouncer.com
www.bradster.com
www.buddyboymusic.com
www.calderwoodinn.com
www.celula.com.mx
www.ceskyhosting.cz
www.cntv.info
www.compsolutionstore.com
www.coolfreepages.com
www.corpsite.com
www.couponcapital.net
www.cpc.adv.br
www.crystalrose.ca
www.cscliberec.cz
www.curtmarsh.com
www.customloyal.com
www.chinasenfa.com
www.DarrkSydebaby.com
www.deadrobot.com
www.dontbeaweekendparent.com
www.download.mcafee.com
www.dragcar.com
www.ecofotos.com.br
www.eurostavba.sk
www.everett.wednet.edu
www.fcpages.com
www.featech.com
www.FritoPie.NET
www.google.com
www.mcafee.com
www.microsoft.com
www.pandasoftware.com
www.symantec.com
www.trendmicro.com
www.update.symantec.com
www.viruslist.com
www.yahoo.com
yahoo.com
Netsad.F crea i seguenti file, che sono copie di se stesso:
* SVCHOST32.DLL.EXE e WINUSER32.CAB.EXE nella cartella windows system.
* Copia se stesso in tutte le cartelle dell'hard disk.
Netsad.F crea le seguenti chiavi nel registro:
* HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run winbase32.cab = %sysdir%\svchost32.DLL.exe
* HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run svchost.cab.dll = %sysdir%\winuser32.cab.exe
COME RIMUOVERLO
1. Disattivare il Ripristino configurazione di sistema.
2. Aggiornare il proprio antivirus.
3. Eseguire una scansione completa del sistema in modalità provvisoria.
Pagina 1 di 1
Permessi in questa sezione del forum:
Non puoi rispondere agli argomenti in questo forum.