FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


pay attition to the new virus Backdoor.Nibu.K





yimaw
When Backdoor.Nibu.K is executed, it performs the following actions:



Creates the following files:


%System%\winldra.exe
%Windir%\dvpd.dll
%Windir%\netdx.dat
%Windir%\prntsvra.dll
%Windir%\TEMP\fa4537ef.tmp

Notes:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).


Adds the value:

"load32" = "%System%\winldra.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.


Creates the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\SARS


Attempts to download and execute the following file from [http://]bratva.ddo.jp/[REMOVED/bog.cmd.txt.

Note: At the time of this writing, the bratva domain was unavailable.


Sends information about the host using the HTTP GET method to: [http://]bratva.ddo.jp/[REMOVED]/logger.php


Captures browser window titles and keystrokes typed into windows with the following strings:


365online.co
abbey.co
aeacu.com
alliance-leicesterbusinessbanking.co
bankofscotland.co
barclays.co
citibank.com
etrade.co
firstdirect.co
halifax.co
hsbc.co
lloydstsb.co
natwest.co
netmastergold.co
rbs.co
smile.co
virginone.co
zurichbank.co


May also try to steal FAR Manager passwords, FTP Commander passwords, and protected storage data. It stores this information in %Windir%\prntk.log. Other stolen information that may also be stored in this file include:


The IP address of the infected computer
System information such as the operating system
Internet Explorer version


Launches a thread that monitors the clipboard, saving any data found into the following log file:

%Windir%\prntc.log.


Periodically checks the size of the files it uses for logging stolen information. When the files reach a certain size, the stolen information will be copied into an email formatted file using the Trojan's own built-in SMTP engine. The back door retrieves details of the registered owner from the registry and includes these details in the file.


Creates the following raw MIME-compliant file, containing stolen data:

%Windir%\TEMP\fa4537ef.tmp


Listens on TCP port 9125 for instructions from a remote attacker.


Blocks access to several security-related Web sites by adding the following entries to the hosts file:

127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com






Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
n0obie4life
woohoo! its a new virus!
frozenhead
Uh-oh.. thanks for the info! Wink
Related topics
Virus says - Pay me or else ....
What is the best antivirus progrem?
Protect your pc from new virus programs..
SOBER,worst ever virus
Avoid automatically sending Virus from Your Mail ID
Virus Alert: BlackWorm (MyWife.d)
Virus threatens PCs running Linux or Windows OS
WORST VIRUS EVER --- CNN ANNOUNCED beware of it
New Virus out?
w32 virus removal
New Virus
New Virus: Life is Beautiful
Nigerian’s scam nets 19-year sentence
need a good antivirus
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.