<% if Request.querystring("retry") = "member" or Request.cookies("logged") <> "" then %>

        <%= Request.cookies("logged")%> <%else Response.Redirect "../default.asp" end if %>

         
         

 

Virus Name Risk Assessment
Win32/Scrapkut.worm Low
 
Discovery Date Min DAT
02/03/2008 5243
 
Type SubType
Virus Worm
 
Virus Characteristics
 

The downloader component of the worm has the following attributes:

  • File size: 239,616 bytes
  • FileName: flashx_p.exe

Upon execution, the worm shows the following window.


Then it downloads the following files from the remote site "ifastnet.com."

  • %Windir%\logservicess.exe (420,148 bytes)
  • %Windir%\system32\maindwxp.exe (420,148 bytes)
  • %Windir%\win32chekupdate.exe (1,107,789 bytes)
  • %Windir%windosremote.exe (3,665,995 bytes)

The worm injects a thread into the process Internet Explorer and monitors accesses to orkut.com.
It sends the scraps containing the link to the "flashx_p.exe" to all contacts listed in the addressbook.
 
Symptoms
 

The worm attempts to terminate security related processes listed in the worm file. The list contains more than 700 processes.

The worm also terminates the following services:

  • Security Center
  • SharedAccess

The worm attempts to delete files under the following directories:

  • %HOMEDRIVE%\%ProgramFiles%\alwils~1\avast4\
  • %HOMEDRIVE%\%ProgramFiles%\Lavasoft\Ad-awa~1\
  • %HOMEDRIVE%\%ProgramFiles%\kasper~1\
  • %HOMEDRIVE%\%ProgramFiles%\trojan~1\
  • %HOMEDRIVE%\%ProgramFiles%\f-prot95\
  • %HOMEDRIVE%\%ProgramFiles%\tbav\
  • %HOMEDRIVE%\%ProgramFiles%\avpersonal\
  • %HOMEDRIVE%\%ProgramFiles%\Norton~1\
  • %HOMEDRIVE%\%ProgramFiles%\Mcafee\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsr\
  • %HOMEDRIVE%\%ProgramFiles%\avgamsvr\
  • %HOMEDRIVE%\%ProgramFiles%\avgemc\
  • %HOMEDRIVE%\%ProgramFiles%\avgcc\
  • %HOMEDRIVE%\%ProgramFiles%\avgupsvc\
  • %HOMEDRIVE%\%ProgramFiles%\grisoft
  • %HOMEDRIVE%\%ProgramFiles%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\nod32
  • %HOMEDRIVE%\nood32\
  • %HOMEDRIVE%\%ProgramFiles%\kav\
  • %HOMEDRIVE%\%ProgramFiles%\kavmm\
  • %HOMEDRIVE%\%ProgramFiles%\kaspersky
  • %HOMEDRIVE%\%ProgramFiles%\ewidoctrl\
  • %HOMEDRIVE%\%ProgramFiles%\guard\
  • %HOMEDRIVE%\%ProgramFiles%\ewido\
  • %HOMEDRIVE%\%ProgramFiles%\pavprsrv\
  • %HOMEDRIVE%\%ProgramFiles%\pavprot\
  • %HOMEDRIVE%\%ProgramFiles%\avengine\
  • %HOMEDRIVE%\%ProgramFiles%\apvxdwin\
  • %HOMEDRIVE%\%ProgramFiles%\webproxy\
  • %HOMEDRIVE%\%ProgramFiles%\panda software\
  • %HOMEDRIVE%\%ProgramFiles%\ewidoa~1\
  • %HOMEDRIVE%\%ProgramFiles%\ESET\

The worm modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    FirewallDisableNotify =4
    AntiVirusDisableNotify = 4
    AntiVirusOverride = 4
    FirewallDisableNotify =4
    FirewallOverrideFirst =4
    RunDisabled =4
    UpdatesDisableNotify = 4

The worm sets "Start" keys to the value "4" under the following services keys:

  •  Amon
  •  Apvxd
  •  Apvxdwin
  •  Atrack
  •  AvconsoleEXE
  •  AVG_CC
  •  avgcc32
  •  avgserv9
  •  AVPCC
  •  AVPCC Service
  •  BlackIce Utility
  •  CcApp
  •  CcRegVfy
  •  ConfigSafe
  •  CPD_EXE
  •  Defwatch
  •  dvpapi9x
  •  Fix-it
  •  Fix-it AV
  •  Freedom
  •  F-StopW
  •  iamapp
  •  Look 'n' Stop
  •  McAfee Firewall
  •  McAfee Winguage
  •  McAfee.InstantUpdate.Monitor
  •  McAfeeVirusScanService
  •  NAV Agent
  •  NAV Configuration Wizard
  •  NAV DefAlert
  •  Nod32CC
  •  NOD32POP3
  •  Norton Auto-Protect
  •  Norton eMail Protect
  •  Norton Navigaton Loader
  •  Norton Program Event Checker
  •  Norton Program Scheduler
  •  NPS Event Checker
  •  Panda Scheduler
  •  ScanInicio
  •  SymTray - Norton SystemWorks
  •  Tiny Personal Firewall
  •  TrueVector
  •  VirusScan Online
  •  ZoneAlarm

Those services keys are located under the following keys:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
  •  HKEY_LOCAL_MACHINE\SYSTEM\Controlset002\Services
     
 
Method Of Infection
 
The worm attempts to spread itself by sending orkut users scraps that contains the link to the worm itself.

 
Removal Instructions
 
Use specified engine and DAT files for detection and removal. This threat will be cleaned if you have this combination.
 

 

     1386 Shabakeh Gostar Eng

  

|      كشخصات نیرنس ما    |     مشدار نیرنس جدید     |