W32/Deborm.R
Analysis
- Virus is 32bit with a size of 70,144 bytes and
is UPX compressed
- Virus makes use of the NetBIOS transport protocol,
thus if this protocol is not installed, it is not
a threat for spreading within networks - virus seeks
other systems to infect by scanning IP addresses within
the current IP subnet
- If a target system is found, the virus will attempt
to copy itself to that system into the StartUp folder
within Windows
- Virus will write itself to the local machine if
executed as two files –
C:\Windows\litmus\SVCHOSTÿ.EXE
C:\Windows\WINLOGON .EXE <= note space before period
C:\Windows\System\Explorer .EXE <= note space before period
- Virus will modify the system registry to load at
Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
LTM2 = C:\Windows\litmus\ SVCHOSTÿ.EXEHKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
NAV Live Update = C:\Windows\Start Menu\Programs\StartUp\(Worm filename)HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
W1N32 = C:\Windows\WINLOGON .exeHKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\
Windows Explorer = Explorer .exeHKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServices\
Windows Explorer = Explorer .exe -
The files act as a remote access Trojan