Thread: files from limewire converted into zip files
View Single Post
  #16 (permalink)  
Old February 18th, 2007
mickjapa108's Avatar
mickjapa108 mickjapa108 is offline
Valued Member contributor
  
Join Date: February 2nd, 2006
Location: England
Posts: 1,405
mickjapa108 has a spectacular aura about
Default
Hi every one
This is expansion of 2nd Link that Birdy Gave, Users can check if they have any of these files n folders present on there computer
By copying the names EXACTLY to Notepad, then Boot in safe mode.

Note: In file options, you must enable SHOW hidden files.
Before Boot in safe mode

Then Go, Start/Search n enter exact file names. If found please make short
posts in this thread ONLY, No life history just list of file names & anything
related directly. We appreciate you help, Thank you.

Win32.Worm.VB.Ymeak.A
Spreading: MEDIUM
Damage: MEDIUM
Size: 236,136
Discovered: 2006 Mar 02

SYMPTOMS:

Presence of the following files:

%windir%\b.exe (usually C:\Windows\b.exe), 155,648 bytes
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe, 236,136 bytes
The file xzxzxzxzxzxz.exe (236,136 bytes) may appear in a subdirectory called "_" (underscore)
in the shared folders of peer-to-peer file sharing applications.
TECHNICAL DESCRIPTION:
This is a worm that spreads itself via peer-to-peer file sharing networks,
dropping a backdoor identified by BitDefender as Backdoor.RBot.CMQ. It has a file size of 236,136 bytes.

The first time it is run, it displays the following message to make the user believe it is a setup file downloaded with errors:

After displaying the message, it copies itself to the All Users' startup folder
(usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup\)
as svchost.exe, and launches itself from that new location.
The original instance ends its execution at this point.

When launched from the afore mentioned (Startup) folder, it checks if the %system%
(usually C:\Windows\System32) folder contains any of the following files:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe or p2pnetwork.exe.
These are all file names used by the RBot trojan. If it can't find any of them,
it assumes the RBot trojan is not present so it dropps it into the Windows folder as b.exe and runs it.

To spread itself, it collects random application names from certain torrent and direct download sites.
It then places itself in the shared folder of five common P2P file sharing software (listed below)
using the previousely collected names, in a subfolder called "_" (underscore).
At regular intervals it looks for the executable files of the file sharing programs
Limewire, Shareaza, Bearshare, Morpheus and Morpheus Ultra and launches them.

To protect itself from being discovered, it opens the following files (requesting exclusive access):
cmd.exe, netstat.exe, tracert.exe, ping.exe, ipconfig.exe, taskkill.exe, regedt32.exe
and taskmgr.exe from the %system% folder and regedit.exe from the %windir% folder.
It keeps them open while it is active, so they can not be executed.
Removal instructions:

Please let BitDefender disinfect your files.
ANALYZED BY:

Vlad Ioan Topan, BitDefender Virus Researcher
__________________
mickjapa108
Reply With Quote