Displaying Results for threatBackDoor.Generic3.GBB!CME-762
This worm spreads by internet exploiting MS Windows Server Service vulnerability described in MS Security Bulletin MS06-040.
Installation:
When the worm is launched it copies itself as wgavm.exe to Windows System Directory and registers itself under name Windows Genuine Advantage Validation Monitor as service with automatic startup type in HKLM\SYSTEM\ControlSet001\Services\wgavm key in Windows Registry.
Worm also changes value in entry "EnableDCOM" to "n" in HKLM\software\microsoft\ole key in Windows Registry which disables DCOM protocol.
In case of WinXP and Win2003 Server worm changes automatic startup type of Windows Firewall/Internet Connection Sharing (ICS) service in HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess key to manual startup which disables Windows Firewall.
Spreading: internetWorm stores its copyes in shared folders, searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching
Saturday, November 17, 2007
Subscribe to:
Posts (Atom)