Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Duksten. Viruses Information

Name: I-Worm.Duksten.
Category: Viruses
Description: Details
I-Worm.Duksten.a

Duksten.a is a worm virus spreading via the Internet in ZIP files attached to infected emails. The worm itself is a Windows PE EXE file about 10KB in length encrypted. In infected messages the attachment is a ZIP archive named SKUDO.ZIP that has the worm copy w_skudo.exe stored in it.
The infected messages have an empty body and fthe following fields:
From: "ISP_Tecnico"< skudo@iris.es >
Subject: NetsKudo,proteccion IP para Windows9x/Me/Nt/2000/XP
Attach: SKUDO.ZIP

The worm activates from infected emails only if a user clicks on the attached file and extracts the EXE file from the ZIP archive, and runs it. The worm then installs itself to the system and runs its spreading routine and payload.
Installing
While installing the worm copies itself to the Windows system directory with the name NetSkudo.exe and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
XRF = %SystemDir%NetSkudo.exe

Spreading
To get victim email addresses the worm opens the WAB (Windows Address Book) database and reads emails from there. To send infected messages the worm uses a direct connection to the default SMTP server.
There are several bugs in its email spreading routines so the worm will have problems spreading to "true" SMTP servers that follow email and transfer standards (RFC standards).
While sending infected emails the worm also creates the following files in Windows system directory:
mWAB.XRF - this file contains victim email(s)
mBase64.xrf - worm's ZIP file in MIME form
program.zip - worm's ZIP file

While storing itself in the ZIP archive the worm uses a "stored" compression method (i.e. "do not compress" method).
Other
The worm also tries to infect other PE EXE files found on the hard drive of infected machines but fails because of a bug.



Top Viruses Visited Pages:
Invader. - 231 visits
not-a-virus:RiskWare.Tool.RegPatch. - 69 visits
Worm.P2P.Harex. - 63 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 55 visits
Small.58. - 55 visits
Coito.64 - 53 visits
I-Worm.Mapson. - 45 visits
Win32.Hidra - 41 visits
Win16.Klon.1177 - 40 visits
Marine.500 - 34 visits

Random Viruses Pages:
Animo.51
Happy_II.50
Carriers.658
GeldWash.181
Andris.68
Win32.HLLP.Savn
Marzia.2048.WW.
Ifor.142
TrojanDropper.Win32.ExeBundl
Elvira.45


 

© 2006-2008 spyware32.com - Privacy Policy