[Dshield] New Variant of Backdoor.Haxdoor

Chris Wright dshield at yaps4u.net
Wed Aug 16 21:16:23 GMT 2006


Most vendors have added the new Haxdoor variant to their db's today...

Here is AVG's entry for it:

Virus Encyclopedia

BackDoor.Generic3.GBC!CME-482
BackDoor.Generic3.GBC!CME-482
CME-482


This worm spreads by internet exploiting MS Windows Server Service
vulnerability described in MS Security Bulletin MS06-040.

Installation:
When the worm is launched it copies itself as wgareg.exe to Windows System
Directory and registers itself under name Windows Genuine Advantage
Registration Service as service with automatic startup type in
HKLM\SYSTEM\ControlSet001\Services\wgareg key in Windows Registry.

Worm also changes value in entry "EnableDCOM" to "n" in
HKLM\software\microsoft\ole key in Windows Registry which disables DCOM
protocol.

In case of WinXP and Win2003 Server worm changes automatic startup type of
Windows Firewall/Internet Connection Sharing (ICS) service in
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess key to manual startup
which disables Windows Firewall.

Spreading: internet
Worm stores its copyes in shared folders, searches IP addresses and when it
finds a vulnerable computer it uses the exploit for downloading a copy of
itself and its launching.

*********

I've now moved the Virus to one of my servers (since I didn't consider how
many of you would ask me for a copy !! :)  )

http://www.yaps4u.net/dshield/Z3566043.zip

U/N: virus
PWD: virus

(Yeah I know it looks daft posting U/N and PWD posting to a public forum,
but its just to stop the casual browser from hitting that folder)



More information about the list mailing list