Virus

W32/Deborm.Q

Analysis

  • Virus is 32bit with a size of 56,320 bytes and is ASPack compressed
  • Virus makes use of the NetBIOS transport protocol, thus if this protocol is not installed, it is not a threat for spreading within networks - virus seeks other systems to infect by scanning IP addresses within the current IP subnet
  • If a target system is found, the virus will attempt to copy itself to that system into the StartUp folder within Windows
  • Virus will write itself to the local machine if executed as two files –
    C:\Windows\litmus\SVCHOST32.EXE
    C:\Windows\System\EXPLORER .EXE <= note there is a space before the period
  • Virus will modify the system registry to load at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    LTM2 = C:\Windows\litmus\SVCHOST32.EXE

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    NAV Live Update = C:\Windows\Start Menu\Programs\StartUp\(Worm filename)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Explorer = Explorer .exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Windows Explorer = Explorer .exe

  • The file “SVCHOST32.EXE” acts as a remote access Trojan as does “Explorer .exe”