Worm.Win32.Ladex.a
Description Worm.Win32.Ladex.a
Ladex is a network worm, it is efficient only under Windows NT/2000/XP and it is distributed on local area networks. It is a Windows (PE EXE) file about about 275K in size and is written in Microsoft Visual C++.
Installation
Upon being launched the worm creates three copies of itself in the system directories:
%SystemRoot%HelpDOSAPP.HLP
%SystemRoot%InfCDROM.SYS
%SystemRoot%FontsDOSOEM.FON
it also creates new hidden files that are components of the worm:
%SystemRoot%SMSS.EXE
%SystemRoot%CSRSS.EXE
%SystemRoot%System32LADY.EXE
Then it registers the files SMSS.EXE and CSRSS.EXE in the system registry so that they execute upon system reboot:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
@="smss.exe"
@="csrss.exe"
Next the worm registers itself as a system service with the name "TCP/IP NetBIOS Provider".
After the first reboot or restart of the service "TCP/IP NetBIOS Provider" the worm also copies itself into the file
%SystemRoot%System32LMHSVC.EXE.
Spreading
The worm "touches" IP-addresses of a local network and tries to connect to network resources under the names
IPC$ and Admin$.
While logged in as "Administrator". If possible, the worm copies itself onto the remote computer in the system directory:
"\XXX.XXX.XXX.XXXAdmin$System32lmhsvc.exe"
Once this is done it registers itself on the remote computer and creates and starts the service "TCP/IP NetBIOS Provider ".
Invisibility
Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.
Payload
The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be "killed" with the mouse cursor.
Check other viruses! Be aware! Use Antiviral Software
Net-Worm.Win32.Nanspy.d
Description Net-Worm.Win32.Nanspy.d
This network worm infects computers running Windows. The worm itself is a PE EXE file approximately 34KB in size, packed using UPX. The unpacked file is approximately 103KB in size. The worm propagates via the RPC DCOM vulnerability detailed in Microsoft Security Bulletingall
Net-Worm.Win32.Padobot.z
Description Net-Worm.Win32.Padobot.z
This network worm infects computers running Windows. The worm itself is a Windows PE EXE file 46592 bytes in size. It propagates via the Microsoft Windows LSASS vulnerability, which is detailed in Microsoft Security Bulletin MS04-011 Installation Once launched, the worm copies itself to theall
|