| Once executed, the worm copies itself as the following files:
* C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe
Gamma Loader.com
* C:\Program Files\Microsoft Office\OFFICE11\ WINWORD.EXE
* C:\Program Files\Microsoft Office\OFFICE11\services.exe
The worm then starts Microsoft Word and opens a blank document. It then
executes C:\Program Files\Microsoft Office\OFFICE11\ WINWORD.EXE
to ensure infection of the compromised computer.
It then drops the following files:
* C:\Program Files\Microsoft Office\OFFICE11\control.ini
* C:\Program Files\Microsoft Office\OFFICE11\Drvics32.dll
* C:\Program Files\Microsoft Office\OFFICE11\hjwgsd.dll
* C:\Program Files\Microsoft Office\OFFICE11\jwiegh.dll
* C:\Program Files\Microsoft Office\OFFICE11\PUB60SP.mrc
* C:\Program Files\Microsoft Office\OFFICE11\remote.ini
* C:\Program Files\Microsoft Office\OFFICE11\ruimsbbe.dll
* C:\Program Files\Microsoft Office\OFFICE11\smss.exe
* C:\Program Files\Microsoft Office\OFFICE11\yofc.dll
* C:\Program Files\Microsoft Office\OFFICE11\ WINWORD.EXE
The worm modifies the following registry entry, so that it runs every time
Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon\”Shell” = “Explorer.exe, C:\Program Files\Microsoft Office\OFFICE11
\services.exe”
The worm then creates the following registry subkeys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\Acha.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\AmyMastura.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\BabyRina.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\cscript.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\csrsz.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\lsasc.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\registry.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\SMSSS.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\wscript.exe
The worm then creates the following registry entries, so that the worm runs instead
of the requested applications:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\Acha.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\AmyMastura.exe\”Debugger” = “cmd.exe
/c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\BabyRina.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\cscript.exe\”Debugger” = “rundll32.exe”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\csrsz.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\lsasc.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\registry.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\SMSSS.exe\”Debugger” = “cmd.exe /c del”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\wscript.exe\”Debugger” = “rundll32.exe”
The worm attempts to register a service by creating the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
It also attempts to register the service by creating the following registry entries:
* HKEY_LOCAL_MACHINE\SYSTEM\ContrelSet\Services\WinDefend\”
Start” = “4″
* HKEY_LOCAL_MACHINE\SYSTEM\ContrelSet\Services\WinDefend\”
Type” = “4″
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win
Defend\”Start” = “4″
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win
Defend\”Type” = “4″
It then modifies the following registry entries to lower security settings:
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\”NeverShow
Ext” = “”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”
UacDisableNotify” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\”AntiVirusDisableNotify” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\”AntiVirusOverride” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\FirewallDisableNotify” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\”FirewallOverride” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
\Svc\”FirstRunDisabled” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\”UpdatesDisableNotify” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc\”UacDisableNotify” = “1″
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\policies\system\”EnableLUA” = “0″
* HKEY_ALL_USERS\Software\Microsoft\Office\Common\”QMSession
Count” = “2″
* HKEY_ALL_USERS\Software\Microsoft\Office\Common\Assistant\
“CurrAsstState” = “26″
It also deletes the following registry entries to prevent the compromised
computer from restarting in
safe mode:
* HKEY_LOCAL_MACHINE\SYSTEM\ContrelSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot
The worm opens a back door on the compromised computer that
connects to a predetermined IRC channel allowing a remote attacker
unauthorized access.
It then attempts to spread through instant messaging clients by sending any
of the following messages containing a link to a file sharing Web site:
* Mahu tips and trik menarik Adobe Photoshop, dapatkan segera buku
elektronik geratis di [LINK TO WEB SITE]
* Download segera berbagai buku elektronik tips & trik ilmu komputer di
>>> [LINK TO WEB SITE]<<<
* Download buku 1001 cara usaha mendapatkan keuntungan besar berlipat
ganda & trik pengusaha sukses [LINK TO WEB SITE]
* E-Book 1001 cara Merakit komputer ===> [LINK TO WEB SITE]
geratis download
Note: At the time of writing, [LINK TO WEB SITE] represented the
following remote location:
[http://]bukugeratis.4shared.com
The worm may also contact the following domains:
* www.putera.com
* www.tourism.gov.my
* www.miti.gov.my |
In order to Remove W32.Mibling you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of W32.Mibling ..
