AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 05:01:50 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4766 Members
Latest Member: beverlys
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Starimp 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Starimp  (Read 601 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Starimp
« on: September 19, 2005, 11:48:04 PM »
W32.Starimp is a worm that spreads through peer to peer networks, steals password details, and can download and execute remote files.

When W32.Starimp is executed, it performs the following actions:

   1. Creates the following files:

          * %System%\mcfCC4.dll
          * %System%\mcfdrv.sys

            Note:
          * These files are hidden by the worm.
          * %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Injects the file mcfCC4.dll into some randomly selected processes.

   3. Creates the following registry subkeys so that it runs every time Windows starts:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mcfdrv
      HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_MCFDRV
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4

   4. Adds the values:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent

      so that it spreads utilising the Imesh peer to peer application.

   5. Adds the values:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "dir0" = "DlDir0" = "C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"
      "DisableSharing" = "dword:00000000"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Kazaa\LocalContent

      so that it spreads utilising the Kazaa peer to peer application

   6. Adds the value:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Kazaa\Transfer

      so that it spreads utilising the Kazaa peer to peer application.

   7. Copies itself using the following file names:

          * %System%\User Local Files\NAV2005_Keygen!.exe
          * %System%\User Local Files\NAV_updates__05.exe
          * %System%\User Local Files\XXX_teens_16-18.exe
          * %System%\User Local Files\WindowsXP boost.exe
          * %System%\User Local Files\photoshop__2005.exe
          * %System%\User Local Files\anal_sex_photos.exe
          * %System%\User Local Files\TheBat!7.51.256.exe
          * %System%\User Local Files\NortonAntiVirus.exe
          * %System%\User Local Files\DrWEB_Key092007.exe
          * %System%\User Local Files\LAN_hacker_ver2.exe
          * %System%\User Local Files\NeT_KILLER_3.84.exe
          * %System%\User Local Files\julia_XXX_video.exe
          * %System%\User Local Files\Kaspersky_KEY08.exe
          * %System%\User Local Files\HACKER'S View 2.exe
          * %System%\User Local Files\Mozilla_1.9.927.exe
          * %System%\User Local Files\ProfessionalICQ.exe

   8. Attempts to steal account details by monitoring Internet Explorer for the following Web page:

      [http://]www.e-gold.com/[REMOVED]

   9. Gathers passwords stored on the compromised computer.

  10. May create the following data files:

          * %System%\drivers\updR.ies4
          * %System%\drivers\updR2.ies4
          * %System%\bkp.ies4
          * %System%\tickcnt.bin

  11. Can download and execute remote files.


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.starimp.html


To restart the computer using the Windows Recovery Console
To remove this threat it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article: How to install and use the Recovery Console in Windows XP.

   1. Insert the Windows XP CD-ROM into the CD-ROM drive.
   2. Restart the computer from the CD-ROM drive
   3. Press "R" to start the Recovery Console when the "Welcome to Setup" screen apprears.
   4. Select the installation that you want to access from the Recovery Console, if you have a dual-boot computer.
   5. Enter the administrator password
   6. Press Enter
   7. Type cd \windows\system32
   8. Press Enter
   9. Type del mcfCC4.dll
  10. Press Enter
  11. Type del mcfdrv.sys
  12. Press Enter
  13. Type exit
  14. Press Enter. The computer will now restart automatically.


To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to and delete the subkeys:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mcfdrv
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4

   5. Navigate to the subkey, if present:

      HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent

   6. In the right pane, delete the values:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"

   7. Navigate to the subkey, if present:

      HKEY_CURRENT_USER\Software\Kazaa\LocalContent

   8. In the right pane, delete the values:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "dir0" = "DlDir0" = "C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"
      "DisableSharing" = "dword:00000000"

   9. Navigate to the subkey, if present:

      HKEY_CURRENT_USER\Software\Kazaa\Transfer

  10. In the right pane, delete the value:

      "dir0" = "012345:C:\WINDOWS\System32\User Local Files"
      "DlDir0" = "C:\WINDOWS\System32\User Local Files"

  11. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Starimp « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!