pátek 24. února 2012

Exploit:Win32/Siveras.E


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Apr 19, 2007

Aliases
  • Worm.Win32.Downloader.ak (Kaspersky)
  • New Malware.aj (McAfee)
  • W32/Suspicious_U.gen (Norman)
  • Mal/Packer (Sophos)
  • Packed/Upack (VirusBuster)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.175.0
Released: Feb 22, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Exploit:Win32/Siveras.E is detection for specific known malware used to exploit a vulnerability in the Domain Name System (DNS) Server Service. This vulnerability impacts Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.
 
For vulnerability details and patch information, please see Microsoft Security Bulletin MS07-029 athttp://www.microsoft.com/technet/security/bulletin/ms07-029.mspx.


 

Symptoms

The following symptoms could indicate the computer was in contact with Exploit:Win32/Siveras.E:
  • Creation or the presence of these files:
    <system folder>\drivers\pcibus.sys
    <system folder>\com\comprel32.exe
    <system folder>\utility.hiv
    <system folder>\taimpo.txt
  • Open TCP port 4444 or 57660
  • Open UDP port 3012
  • Connection attempts with the remote Web site 'eee.jpenqc.com'


 

Technical Information (Analysis)

Exploit:Win32/Siveras.E is detection for specific known malware used to exploit a vulnerability in the Domain Name System (DNS) Server Service. This vulnerability impacts Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.
 
Installation & Payload
Exploit:Win32/Siveras.E injects its code into the running process SVCHOST.EXE. The Trojan then drops a file to the Windows system folder and runs that file, which then attempts to connect to multiple IRC servers or remote Web sites, and sends an HTTP GET request to download an executable from a remote Web site. Retrieved files have known file names of "radi.exe" or "e##.exe", where ## is a number.
 
Exploit:Win32/Siveras.E opens and listens on TCP ports (such as 57660 or 4444) to accept commands from remote attackers. These commands could include instructions to initiate network scanning in search of other vulnerable computers.
 
Additional Information
For vulnerability details and patch information, please see Microsoft Security Bulletin MS07-029 athttp://www.microsoft.com/technet/security/bulletin/ms07-029.mspx.


 

Prevention

For specific instructions to prevent exploit of this vulnerability, see Microsoft Security Bulletin MS07-029 athttp://www.microsoft.com/technet/security/bulletin/ms07-029.mspx.

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.