|
|
Worm.Serflog Trojan Information
| Name: |
Worm.Serflog |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
Worm.Serflog is a worm that spreads through file-sharing networks and MSN Messenger. This worm also lowers security settings and blocks access to security-related Web sites and terminates security-related programs.
Once executed, W32.Serflog.A performs the following actions:
Closes Windows that contain the following strings in their titles:
ADWARE
ALERTS
ANTI
AUTOSTARTED
Avg
BENIGN
BLOCKER
BUG
BULLGUARD
BUSTER
CENTER
-CILLIN
CLEANER
CMD
Command
DESTROY
DETECTION
DOCTOR
EARTHLINK
EDITOR
ELIMINATE
EYE
FIGHT
Filter
FIREWALL
FIX
FIXING
HEAL
HELP
HUNTER
KERIO
Kill
LABS
LIVEUPDATE
MALWARE
MALWHERE
MCAFEE
NETCOP
NOD32
NORTON
PANDA
PROMPT
PROTECTOR
REGISTRY
REMOVAL
RESTORE
SANDBOX
SCAN
SECURE
SECURITY
SOPHOS
SPY
SPYBOT
SPYWARE
STOPPER
SWEEPER
TASK
TOOL
TREND
Update
VCATCH
VIRUS
WATCH
WORM
Which may result in the following functions being disabled:
Registry editing programs
Command line
Process monitoring programs
Task manager
Creates the following hidden copies of itself:
%System%formatsys.exe
%System%serbw.exe
%Windir%msmbw.exe
%SystemDrive%Crazy frog gets killed by train!.pif
%SystemDrive%Annoying crazy frog getting killed.pif
%SystemDrive%See my lesbian friends.pif
%SystemDrive%LOL that ur pic!.pif
%SystemDrive%My new photo!.pif
%SystemDrive%Me on holiday!.pif
%SystemDrive%The Cat And The Fan piccy.pif
%SystemDrive%How a Blonde Eats a Banana...pif
%SystemDrive%Mona Lisa Wants Her Smile Back.pif
%SystemDrive%Topless in Mini Skirt! lol.pif
%SystemDrive%Fat Elvis! lol.pif
%SystemDrive%Jennifer Lopez.scr
%SystemDrive%lspt.exe
%UserProfile%Local SettingsApplication DataMicrosoftCD Burningautorun.exe
Drops following hidden files:
%SystemDrive%British National Party.jpg
%SystemDrive%Crazy-Frog.Html
%SystemDrive%Message to n00b LARISSA.txt
Deletes the following file, if it exists:
%SystemDrive%MESSAGE_TO_BROPIA.txt
Adds the value:
"[Value]" = "[File name]"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpolicies
ExplorerRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionpolicies
ExplorerRun
so that the worm is executed every time Windows starts.
Where [Value] is one of the following:
serpe
ltwob
avnort
and where [File name] is one of the following:
%System%formatsys.exe
%System%serbw.exe
%Windir%msmbw.exe
Sends a copy of itself to all the contacts in MSN Messenger using one of the following file names:
Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt! lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr
Copies itself to the following folders, which are used by various file-sharing applications:
%SystemDrive%My Shared Folder
%UserProfile%Shared
%ProgramFiles%Program FileseMuleIncoming
The worm copies itself to the above folders using the following file names:
Messenger Plus! 3.50.exe
MSN all version polygamy.exe
MSN nudge bomb.exe
Adds the text:
OPEN=autorun.exe
to the following file:
%SystemDrive%Documents and Setting[Username]Local SettingsApplication DataMicrosoftCD Burningautorun.inf
|
| Signatures:
|
process: serbw.exe: MD5 Hash: 4f9bbfc2edf99bccf05.. |
| Type: |
Trojan - A worm is program that propagates by attacking other computers and copying itself to them. Worms may replace files, but do not insert themselves into files (as viruses do). |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 411 visits
Enable Regedit - 195 visits
Java.ClassLoader.Dummy.d - 187 visits
Trojan.BankerSpy - 179 visits
RBot.steam - 86 visits
Startup.NameShifter.Xgtray - 77 visits
Tro.Bagle.SP - 59 visits
LRPatch Trojan - 58 visits
Trojan.BHO.NameShifter.EZ - 55 visits
Tro.YourStartingPage - 54 visits
Random Trojan Pages:
Patch Registry Trojan - Alias: PatchReg, Trojan.PatchRegistry
MagicControl - Alias: Persis, MagicControl.MC, MagicControl.Wintrim, MagicControl.Wincomp, MagicControl.Winmgts, TROJ_WINT
Startup.NameShifter.SysMon
YPM Bomber
Stats Trojan - Alias: Backdoor.Stats, HotStew
Tool-TFTP.svr - Alias: Tool-TFTP
WebHead
Trojan.BHO.NameShifter.CW
MDMA.990.Batch
Trojan.BHO.NameShifter.AI
|
|
