VR2 Blog - :
Profile
User : Lightmoon.A
My page

Favourite
Caw...iz's blog

Details:


Installation
Upon execution, this worm drops a randomly named copy of itself in any subfolder under %User Profile% folder. It also drops randomly named copies of itself in folders that contain any of the following strings:
  • Download
  • Upload
  • Share

(Note: %User Profile% is the current user's profile folder,which is usually C:WindowsProfiles{user name} on Windows 98 and ME,C:WINNTProfiles{user name} on Windows NT, and C:Documents andSettings{user name} on Windows 2000, XP, and Server 2003.)

In addition, it drops the following files in the specified locations:
  • %System%crtsys.dll
  • %System%moonlight.scr
  • %User Profile%Start MenuProgramsStartupadodb.cmd
  • %Windows%moonlight.txt - a non-malicious component
%System% is the Windows system folder, which is usuallyC:WindowsSystem on Windows 98 and ME, C:WINNTSystem32 on Windows NTand 2000, or C:WindowsSystem32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)

It creates a randomly named subfolder, where it drops a randomlynamed copy of itself, in the Windows and Windows system folders.
It uses any of the following extension names for its dropped copies:
  • CMD
  • COM
  • EXE
  • SCR

In addition, this worm creates the following registry keys as part of its installation routine:
HKEY_CURRENT_USERSoftwareVB and VBA Program Settingstitta
HKEY_CURRENT_USERSoftwareVB and VBA Program Settingsuntukmu2
Autostart Techniques
This worm creates the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
{Random numbers} = "%System%{Random numbers}.exe"
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionRun
{Random numbers} = "%Windows%{Random numbers}.exe"
It also creates the following registry entries to enable its automatic execution once a .SCR or .EXE file is accessed:
HKEY_LOCAL_MACHINESOFTWAREClassesexefile
{Default} = "File Folder"
(Note: The default value data for the said entry is Application.)
HKEY_LOCAL_MACHINESOFTWAREClassesscrfile
{Default} = "File Folder"
(Note: The default value data for the said entry is Screen Saver.)
On Windows NT-based (Windows NT, 2000, XP, and Server 2003)systems, it modifies the following registry entry as part of itsautostart technique:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionWinlogon
Shell = "explorer.exe, C:Documents and SettingsAdministratorTemplates{Random numbers}{Random numbers}.exe"
(Note: The default value data of the said entry is Explorer.exe.)
It also enables itself to execute even when the system is inSafe Mode. It does the said routine by modifying the following registryentry:
HKEY_LOCAL_MACHINESYSTEMControlSet002ControlSafeBoot
AlternateShell = "{Random numbers}.exe"
(Note: The default value data of the said entry is "cmd.exe".)
It also modifies the following registry entry as part of its autostart technique:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionExplorerUser Shell Folders
Common Startup = "%System%33055a"
(Note: The default value data of the said entry is "%ALLUSERSPROFILE%Start MenuProgramsStartup". This data value is hard-coded.)
Other Registry Modifications
This worm creates the following registry entry in an attempt to disable Registry Editor:
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionPoliciesSystem
DisableRegistryTools = "1"
It creates the following registry entries to disable Registry Editor and MSConfig:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionImage File Execution Optionsmsconfig.exe
debugger = "%Windows%notepad.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionImage File Execution Optionsregedit.exe
debugger = "%Windows%notepad.exe"
It also hides files with attributes set to hidden or system, and hides file extension names. It does the said routine by modifying the following registry entry:
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionExplorerAdvanced
Hidden = "0"
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionExplorerAdvanced
ShowSuperHidden = "0"
(Note: The default value data of the said entries is "1".)
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionExplorerAdvanced
HideFileExt = "1"
(Note: The default value data of the said entry is "0".)
It also prevents the display of the full path of files in the title bar by modifying the following registry entry:
HKEY_CURRENT_USERSoftwareMicrosoft
WindowsCurrentVersionExplorerCabinetState
FullPath = "1"
(Note: The default value of the said entry is "0".)
It disables the Windows Firewall and Internet Connection Sharing services by modifying the following registry entry:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
ServicesSharedAccess
Start = "0"
(Note: The default value data of the said entry is "2".)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionExplorerAdvancedFolderSuperHidden
UncheckedValue = "0"
(Note: The default value data of the said entry is "1".)
Propagation via Email and Floppy Drives
This worm propagates via email. It sends a copy of itself as anattachment to email messages, which it sends using its own Simple MailTransfer Protocol (SMTP) engine. The email message it sends has thefollowing details:
Subject: (any of the following)
• Agnes Monica pic's
• aku mahasiswa BSI Margonda smt 4
• Aku Mencari Wanita yang aku Cintai
• Cek This
• CoolMan
• dan cara menggunakan email mass
• di lampiran ini terdapat curriculum vittae dan foto saya
• foto dan data Wanita tsb Thank's
• Fucking With Me :D
• hello
• hey Indonesian porn
• Hot ...
• ini adalah cara terakhirku ,di lampiran ini terdapat
• Japannes Porn
• Joe
• miss Indonesian
• Nana
• NB:Mohon di teruskan kesahabat anda
• oh ya aku tahu anda dr milis ilmu komputer
• please read again what i have written to you
• Tolong
• Tolong Aku..
• yah aku sedang membutuhkan pekerjaan

From: (any of the following)
• admin
• Agnes
• Ami
• Anata
• astaga
• boleh
• Cicilia
• Claudia
• Davis
• Emily
• Fransisca
• Fransiska
• Fria
• gaul
• HellSpawn
• Hilda
• Ida
• indo
• Julia
• JuwitaNingrum
• Lanelitta
• Lia
• Linda
• Nadine
• Natalia
• PLASA
• Riri
• Rita
• sasuke
• SaZZA
• sisilia
• Susi
• telkom
• Titta
• Valentina
• Vivi
• warung

Message body: (any of the following)
• aku mahasiswa BSI Margonda smt 4
• Aku Mencari Wanita yang aku Cintai
• CoolMan
• dan cara menggunakan email mass
• di lampiran ini terdapat curriculum vittae dan foto saya
• foto dan data Wanita tsb Thank's
• ini adalah cara terakhirku ,di lampiran ini terdapat
• Japannes Porn
• NB:Mohon di teruskan kesahabat anda
• oh ya aku tahu anda dr milis ilmu komputer
• yah aku sedang membutuhkan pekerjaan

Attachment: Mypic.zip
It avoids sending messages to addresses containing any of the following strings:
  • avira
  • Friendster
  • gmail
  • hotmail
  • login
  • mcafee
  • norman
  • norton
  • novell
  • panda
  • security
  • sophos
  • Syman
  • Trend
  • vaksin
  • virus
  • yahoo

It also drops a copy of itself to floppy drives (usually A:) once a floppy disk is inserted into the system.
Affected Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Tag : Moonlight.D
[ 2008-12-23 11:08:41 ] ( +9 / -0 ) 11 comment

Login to add new comment.

โหวตอีกแร๊ะ
eazy [ 2009-09-2 20:16:33 ]

หวัดดีคับ
CrazYKENG [ 2009-09-1 17:58:14 ]

โหวตกระจาย
eazy [ 2009-09-1 14:26:56 ]

โหวตครับ
CrazYKENG [ 2009-08-31 09:37:58 ]

โหวตให้ิีอีกครับ
eazy [ 2009-08-30 20:13:42 ]

หวัดดีครับ
eazy [ 2009-08-29 21:32:58 ]

มาเม้นให้ครับ
eazy [ 2009-08-24 15:53:14 ]

-*- ยาวเหยียด แถมภาษา โดนตัวนี้ทีสงสัยงานเข้า
ASZoDi4c [ 2009-03-3 23:59:17 ]

เหอๆๆๆๆๆๆๆๆๆๆๆๆๆๆๆ
lenient [ 2008-12-25 11:50:03 ]

ถ้าแปลไทยจะดีมากเลยงิ- -
HarleyDavidson [ 2008-12-24 21:01:15 ]

โหวตไปแล้วจะโดนไวรัสไหมเนี่ย ^^
+1
coincrab [ 2008-12-23 22:18:33 ]


Recommend
จากกันด้วยดี (Re-run)
------Lightmoon------


Link