On 12 june 2009, a computer virus worm broke out in the comouter world called as W32.Sapaq, it's a self replicating worm which spreads through network shares and infects executable files.
this worm can infect following operating system .
1 Windows 95
2 windows 98
3 windows 2000
4 windows ME
5 Windows NT
6 Windows XP
7 Windows server 2003
8 windows vista
This worm attacks the executable file that are shared and spread through networks.it's believed that this worm is 81463 bytes to 82439 Bytes.
And one thing is believed that this worm is a low Category worm(means
Once the file is executed, it copies itself into the %System%\drivers\TXP1atform.exe, and then creates the following files:
%System%\drivers\JM.SYS
%CommonProgramFiles%\Desktop_1.ini (non malicious)
%CommonProgramFiles%\Desktop_2.ini (non malicious)
What makes this worm a possible medium threat is that it deletes the host file and then creates another file. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Explorer" = "%System%\drivers\TXP1atform.exe" gets created along with a host of 20+ other HKEY files.
Along with the HKEY files, the worm recreates the JM.SYS file that was embedded with the originally created files (which is a variant of a Trojan virus that steals passwords and then transmits them to the virus proginator) is changed. It changes from JM.SYS to DMusic with an image path of DMusic that automatically starts-up when the host machine is started. As the file is a worm, it continues to infect executable files in the host machine until it’s contained or neutralized. For the network administrators that monitor the continuous outgoing numbers for your network, the key is to watch TCP Port 80, and follow the IP Address: 60.173.10.53.
No comments:
Post a Comment