Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

General Discussion

Conficker plans to make a comeback - Page 3

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-06 09:21:42
The reason I had my Email address shown to my Hotmail address, is that others from here can find me and contact me if they wanted a chat or wanted any sprites from me. But I've changed it to my Googlemail address, and any spam/junk/dangerous emails will get sent straight to the Spam Bin. There's still no new news on Conficker nor Win.32Dozer.

Re: Conficker plans to make a comeback

Posted by: shaggs
Date: 2009-09-06 16:40:06
Get a life stop using internet and you only have to worry about human viruses.

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-06 17:13:47
If you haven't got anything  useful to say, then shut the fuck up.

I was reading an article on Dozer and alot of the DDoS attacks happened in US, and N.Korea, but I think this Win32.Dozer is some reform of MyDoom, and another virus/worm I can't find the article I was reading, but I've found something that can tell how Dozer works. It says:

W32.Dozer

W32.Dozer is a worm that will drop additional threat into a computer. W32.Dozer can be obtained by opening a malicious attached file from scam email messages.
Type: Worm
Sub-Type: Downloader
Aliases: –
OS Affected: Windows
Detected By: Symantec

What Win32.Dozer does:
It will create the following Windows Registry entries:

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig

The threat will drop the following malicious files:

*%System%\[RANDOM CHARACTERS].nls
%System%\wmcfg.exe
%System%\wmiconf.dll
%System%\dllcache\npptools.dll
%System%\drivers\npf.sys
%System%\npptools.dll
%System%\Packet.dll
%System%\WanPacket.dll
%System%\wpcap.dll

http://www.im-infected.com/worm/w32-dozer.html

Edit: I've found it.

Government DDoS botnet W32.Dozer continues to spread

Symantec Security Response is continuing to monitor a cyber attack ? a distributed denial of service (DDoS) ? impacting multiple U.S. and South Korean government, financial and media Web sites. A portion of the attack is being carried out by a piece of malware Symantec has identified as W32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.

We discovered a new element to the W32.Dozer threat on July 10. The threat contains code that instructs infected systems to erase critical content on the hard drive.  When the infected system?s internal clock reaches July 10, 2009, the code will try to find and delete all files with the following extensions:

.accdb, .alz, .asp, .aspx, .c, .cpp, .cpp, .db, .dbf, .doc, .docm, .docx .eml, .gho, .gul, .hna, .hwp, .java, .jsp, .kwp, .mdb, .pas, .pdf, .php, .ppt, .pptx, .pst, .rar, .rtf, .txt, .wpd, .wpx, .wri, .xls, .xlsx, .xml, .zip

These file extensions are typically associated with office, business and development applications.

In addition to deleting data files, the code modifies the Master Boot Record so that when the system is rebooted, it renders the system inoperable.

W32.Dozer began spreading on July 4, creating a Distributed Denial of Service attack against government, financial and media sites in the U.S. and South Korea. W32.Dozer is a threat that is predominately distributed as an email attachment. Once a user clicks on the attachment, the threat downloads a package onto the system that contains the following:

? Trojan.Dozer, which is used to overtake the computer for the botnet
? A list of host sites, which instructs the botnet to which sites to attack
? MyDoom worm, which is currently believed to be used for its mass mailing capabilities to redistribute W32.Dozer

Initially, it was reported that the attack leveraged more than 50,000 computers. The growth of the botnet has slowed significantly as users have updated their systems to protect against the threat.  The attached heat map shows the spread so far of W32.Dozer ? it is no surprise that we have seen most activity in South Korean (red) and the US (green), but other areas of activity have included Canada, China and Australia. Areas experiencing less activity are dark blue.

To help stop this DDoS, Symantec encourages all computer users to update their security software with the latest definitions, keep their computer systems clean and continue to use general best practices for staying safe online.

Dozer Map:
[IMG]http://i259.photobucket.com/albums/hh317/GlitchHunterMutouYami/dozer_map-300x225.jpg[/img]

Re: Conficker plans to make a comeback

Posted by: glitchhunter09
Date: 2009-09-06 17:52:31
Ohg, I finally got Avast to work a few months ago Mutou Yami. I thank you for introducing me to it. My computer is virus free as far as I can tell but it has left severe scars on my system. My desktop background is just a wall of color that changes colors each time a program that changes the resolution closes or opens.

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-06 18:05:48
No problem, Glisp. It's a shame my PC is too much of a dick to allow it to run on it anymore, but it's been useful for my Vista. I've edited my other post on the news article I was reading on W32.Dozer. and I gotta say, it's a bitch to deal with if you get infected with this bad ass.

Re: Conficker plans to make a comeback

Posted by: shaggs
Date: 2009-09-06 22:22:47
Woah. How can getting a life and keeping your body healthy not be useful advice? Some one is triiiippin.

Re: Conficker plans to make a comeback

Posted by: Zowayix
Date: 2009-09-07 00:06:28

Some one is triiiippin.

I'm 100% sure that someone is you.

Re: Conficker plans to make a comeback

Posted by: Abwayax
Date: 2009-09-07 00:21:25

Get a life stop using internet and you only have to worry about human viruses.

That comment was unwarranted. Please behave.

Re: Conficker plans to make a comeback

Posted by: shaggs
Date: 2009-09-07 01:06:18
Oh geez man. Eh whatever. You guys are just sticking up for her cause you feel sorry for her. Having a life is good, being healthy is good, and Im trippin? You gotta be kidding me. You know zowa, I don't hate you, yet, stop being fuking nosy, how are you going to insult me when I have never had beef with you and I wasnt even talking to you.

Re: Conficker plans to make a comeback

Posted by: Abwayax
Date: 2009-09-07 01:09:42
I'm not "sticking up" for anyone, I'm just telling you to stop being rude.

Re: Conficker plans to make a comeback

Posted by: shaggs
Date: 2009-09-07 01:22:18
She was rude first and I was just giving advice so whatever it doesnt matter because shes autistic huh?

Re: Conficker plans to make a comeback

Posted by: Abwayax
Date: 2009-09-07 01:30:29
She was rude first? Not on this thread, as far as I can tell. The last post before yours was about spam emails, then you went onto here and posted "get a life" (which you very well know isn't "advice").

I know the both of you have history, and if she's rude to you in a thread or PM then feel free to report it. But on THIS THREAD you were the aggressor. I don't care if she started it way back when, because I don't know the history I'm going to assume the attack came out of nowhere and am going to act accordingly.

I'm impartial. I'm not going to "stick up" for anyone, I'm just going to go after who I think is "starting it." None of her posts in this thread even mentioned you, they were about Conficker or W32.Dozer worms. You derailed the thread with your comment.

I don't have a vendetta - in fact, I'm very far from being "close" to her at all (probably one of her least favorite admins, which goes to show just how neutral I am). I'm not siding with anyone, I just see someone attack someone else and I act on it.

Consider this a friendly warning.

Re: Conficker plans to make a comeback

Posted by: shaggs
Date: 2009-09-07 02:53:01
Your cooler than I originally thought. Well that all makes sense but to put it out there 'get a life' wasnt the only thing I said.  I really wasnt even trying to start crap in the first place though. I guess people think the way I talk is offensive but Im just being myself and if anyones feelings are hurt I really don't care because If I have a problem with someone I don't hide it. My problem with Yami? She misinterprets everything I say. sorry for the trouble. peace

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-07 09:37:12
If I were to "attack" you PeachY, I would of sent you millions of PMS and Emails, saying what I think about you but I haven't, so don't start shit with me. I can't help how I am, I was born this way so deal with who I am. My parents didn't know much about autism in 1988, seeing as they never knew that my father had it until I was diagnosed at the age of 7/9. Sure I don't have many favorite admins here, Newo, Yuzi (when he wasn't being rude), MissingNo, Mugendai, and sometimes you Abwayax , but I dislike a lot of the admins who are bloody rude, think they know it all, when I'm just trying to be useful, on about these bloody viruses, I'm not doing any harm. I'm fucking harmless. Here's a little more on the Trojan.Dropper.Dozer, (under other names) found by other antiviruses.

* Submission details:
o Submission received: 1 September 2009, 03:47:54
o Processing time: 7 min 12 sec
o Submitted sample:
+ File MD5: 0x0F394734C65D44915060B36A0B1A972D
+ File SHA-1: 0x426BC6BB3704441E5804D75AD020706F06B3DB5D
+ Filesize: 374,651 bytes
+ Alias:
# W32.Dozer [Symantec]
# Trojan-Dropper.Win32.Agent.avml [Kaspersky Lab]
# W32/Mydoom.cf [McAfee]
# Mal/Generic-A [Sophos]
# Trojan:Win32/Meredrop [Microsoft]
# Generic.Mydoom [Ikarus]
# Win-Trojan/Downloader.374651 [AhnLab]

Produces outbound traffic. Severity Level: 1
Contains characteristics of an identified security risk. Severity Level: 10

Possible Security Risk
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A network-aware worm that attempts to replicate across the existing network(s)
A program that downloads files to the local computer that may represent security risk

File System Modifications

*The following files were created in the system:

#.1 Filename(s): %System%\pxdrv.nls
Bytes: 0
File Hash: MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
Alias: N/A

#.2 Filename(s): [file and pathname of the sample #1]
Bytes: 374,651 bytes
File Hash: MD5: 0x0F394734C65D44915060B36A0B1A972D
SHA-1: 0x426BC6BB3704441E5804D75AD020706F06B3DB5D
Alias: W32.Dozer [Symantec]
Trojan-Dropper.Win32.Agent.avml [Kaspersky Lab]
W32/Mydoom.cf [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Meredrop [Microsoft]
Generic.Mydoom [Ikarus]
Win-Trojan/Downloader.374651 [AhnLab]

#3. File Name(s): %System%\wmiconf.dll 
Bytes: 67,072 bytes
File Hash: MD5: 0x50C97BF514643D9E60980985DB0908CA
SHA-1: 0x3975275B857824CBA2D8BBBF1A4867E144E217D4
Alias: W32.Mydoom.A@mm [Symantec]
Email-Worm.Win32.Mydoom.hx [Kaspersky Lab]
Generic BackDoor!ec [McAfee]
Mal/Generic-A [Sophos]
Backdoor.Win32.Mydoom [Ikarus]
Win-Trojan/Mydoom.88064 [AhnLab]

Filename(s): [file and pathname of the sample #1]
Bytes: 374,651 bytes
File Hash: MD5: 0x0F394734C65D44915060B36A0B1A972D
SHA-1: 0x426BC6BB3704441E5804D75AD020706F06B3DB5D
Alias: Trojan.Dozer [Symantec]
Trojan-Downloader.Win32.Agent.chww [Kaspersky Lab]
W32/Mydoom.cf.dll [McAfee]
Troj/Agent-KLT [Sophos]
Trojan:Win32/Lyzapo.A [Microsoft]
Trojan-Dropper.Agent [Ikarus]
Win-Trojan/Agent.67072.DL [AhnLab]

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications:
Process Name: [filename of the sample #1]
Process Filename: [file and pathname of the sample #1]
Main Module Size: 98,304 bytes

There was a new service created in the system:
Service Name: WmiConfig
Display Name: WMI Performance Configuration
Status: "Stopped"
Service Filename: %System%\svchost.exe -k wmiconf

Registry Modifications:
The following Registry Keys were created:
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Parameters
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Security
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Security

The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
                + wmiconf = "WmiConfig"
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Security]
                + Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig\Parameters]
                + ServiceDll = "%System%\wmiconf.dll"
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiConfig]
                + Type = 0x00000120
                + Start = 0x00000002
                + ErrorControl = 0x00000001
                + ImagePath = "%System%\svchost.exe -k wmiconf"
                + DisplayName = "WMI Performance Configuration"
                + ObjectName = "LocalSystem"
                + Description = "Configures and manages performance library information from WMI HiPerf providers."
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Security]
                + Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig\Parameters]
                + ServiceDll = "%System%\wmiconf.dll"
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiConfig]
                + Type = 0x00000120
                + Start = 0x00000002
                + ErrorControl = 0x00000001
                + ImagePath = "%System%\svchost.exe -k wmiconf"
                + DisplayName = "WMI Performance Configuration"
                + ObjectName = "LocalSystem"
                + Description = "Configures and manages performance library information from WMI HiPerf providers."

Other details:
To mark the presence in the system, the following Mutex object was created:
_MUTEX_AHN_V3PRO_

There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host: 213.33.116.41
Port Number: 53

Remote Host: 216.199.83.203
Port Number: 80

Remote Host: 213.23.243.210
Port Number: 443

Outbound traffic (potentially malicious)
There was an outbound traffic produced on port 443:
00000000 | D5CC CCCC 8498 989C E3FD E2FD EC8B 8998 | …………….
00000010 | ECE3 AFA4 A5A2 ADE3 A8A2 BFF3 CC21      | ………….!

http://www.threatexpert.com/report.aspx?md5=0f394734c65d44915060b36a0b1a972d

Re: Conficker plans to make a comeback

Posted by: tachi
Date: 2009-09-07 10:08:35

If I were to "attack" you Peacy, I would of sent you millions of PMS and Emails, saying what I think about you but I haven't, so don't start shit with me. I can't help how I am, I was born this way so deal with who I am. My parents didn't know much about autism in 1988, seeing as they never knew that my father had it until I was diagnosed at the age of 7/9.

Not to be off topic (I'll delete this soon Yami) but who here DOESN"T have autism? (Oh and you mispelled PeachY, I know, I know it's cause you type fast.)