Ian
Stole All the Forum Stars
Good things come to those who wait ...
Posts: 2913
|
 |
Mimail.L. Mimail.M, and Gaobot.BK
« on: Dec 13th, 2003, 3:18pm » |
 Quote  Modify
|
Three worms: the L and M variants of Mimail, and Gaobot.BK.
Mimail.L and Mimail.M spread via e-mail in a message which includes a file which in turn includes another file with a double extension. Both worms use their own SMTP engine to send themselves to all the addresses they find. They also carry out Denial of Service (DoS) attacks against various servers and register themselves as Windows services, to avoid appearing in the list of processes in the task administrator. The differences between the two variants are as follows:
- The subject field of the e-mail, as Mimail.L either has no subject field or includes the text "Re[2]we are going to bill your credit card", while the e-mail carrying Mimail.M is titled "Re: GREG" or "Re[3]" followed by a series of random characters.
- The attachment names which include, in the case of Mimail.L, WENDY.ZIP and FOR_GREG_WITH_LOVE.JPG.EXE, while for Mimail.M they could be -in addition to WENDY.ZIP-: only_for_greg.zip, for_greg.jpg.exe and Wendy.Exe.
- The servers they attack.
- The modifications they make to the Windows registry on the victim computer.
Gaobot.BK - in order to spread to as many computers as possible, this exploits the RPC DCOM and WebDAV vulnerabilities. It also spreads by copying itself to shared network resources, which it access by 'guessing' simple or common passwords. A clear indication that Gaobot.BK is affecting a computer is a considerable increase in network traffic in TCP ports 135 and 445, due to the attempts it makes to exploit the security vulnerabilities.
When Gaobot.BK runs, it connects to a specific IRC server and waits for control commands. It could allow an attacker to get information from the affected computer, run files, launch Distributed Denial of Service (DDoS) attacks, upload files by FTP, etc. It also terminates processes in antivirus programs, firewalls and system monitoring tools, leaving the PC vulnerable to future attacks from worms and viruses. Gaobot.BK also terminates processes of Nachi.A, Autorooter.A, Sobig.F and several variants of Blaster.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register