WORM_ANIXMA.A

Сетевой червь, рассылающий ссылку по всем контактам AOL Instant Messenger. При клике на ссылку, копия червя загружается на систему.

Сетевой червь, рассылающий ссылку по всем контактам AOL Instant Messenger. При клике на ссылку, копия червя загружается на систему.

Червь отключает некоторые записи реестра, делая систему уязвимую к сетевым атакам.

Червь также содержит функции бекдора. Он подключается к некоторым Internet Relay Chat (IRC) серверам и ждет команды от удаленного пользователя на определенном IRC канале.

Описание от Trend Micro:

Installation and Autostart

This worm may be downloaded from the site http://members.l{BLOCKED}os.nl/misscleo6969/RitaDisaster.pif. Upon execution, it drops a copy of itself in the Windows system folder using a random file name.

It creates this registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Socketheader = "{File name of malware}"

It also modifies the following registry entries to disable the Windows firewall, making the affected system vulnerable to network intrusions:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile
EnableFirewall = "dword:00000000"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile
EnableFirewall = "dword:00000000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile
EnableFirewall = "dword:00000000"

Propagation via Instant Messenger

This worm checks this registry key to propagate via AOL Instant Messenger:

HKEY_LOCAL_MACHINE\SOFTWARE\America Online\
AOL Instant Messenger (TM)\CurrentVersion\Login

If the said key exists, it searches the buddy list of the instant messenger and sends a link to all contacts. When the said link is clicked, a copy of this worm is downloaded onto the contact's system.

Backdoor Capabilities and Other Details

This worm has backdoor capabilities. It connects to the Internet Relay Chat (IRC) servers xxx.steveballmer.biz or xxx.skrillz.biz and joins an IRC channel. Once connected, it listens for commands coming from a remote user. The following commands may be isssued by the remote user and are executed on the affected system:

  • Display connection type, local IP address, and other network information
  • Download and execute a file
  • Update copy of the worm

This worm runs on Windows 95, 98, ME, NT, 2000, XP, and Server 2003.