PDA

View Full Version : crvss.exe alert



drb1
18-09-2004, 01:57 PM
crvss.exe

google not yet listed, lives in winnit sys32 (of course).

Sends large quantities of information Somwhere.

Detected by zone alarm as outgoing request.

Not detected by avg or various other tools as yet.

Constant running task refuses to be stopped in task manager.

makes comupter slow obviously.

remove from outside operating system.

FYI.

D.

mark c
18-09-2004, 02:10 PM
Good no you. Any idea how/where you got this?

Spacemannz
18-09-2004, 02:17 PM
It could be this. It installs this file

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.ab.html

drb1
18-09-2004, 02:18 PM
Mark c,

You wont like this, here or Trade me.

I was here, I was there, then here, then zone alarm made a request, brand new program less than 3 minuets after install, no restart required.

very fast information upload.

D.

Spacemannz
18-09-2004, 02:19 PM
oops try again

When Backdoor.Sdbot.AB is executed, it performs the following actions:


Creates the following copy of itself:

%system%\crvss.exe

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"Windows media service"="crvss.exe"

to the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


Attempts to access the network share folder $IPC.

If the network share folder is password-protected, the Trojan horse attempts to gain access using the following user names and passwords:

User names:

db2
oracle
dba
database
default
guest
wwwadmin
teacher
student
owner
computer
staff
admins
administrat
administrateur
administrador
administrator

Passwords:

intranet
lan
main
winpass
blank
office
control
nokia
siemens
compaq
dell
cisco
ibm
orainstall
sqlpassoainstall
sql
db1234
db1
databasepassword
data
databasepass
dbpassword
dbpass
access
domainpassword
domainpass
domain
hello
hell
god
sex
****
*****
****
exchange
backup
technical
loginpass
login
mary
katie
kate
george
eric
chris
ian
neil
lee
brian
susan
sue
sam
luke
peter
john
mike
bill
fred
joe
jen
bob
qwe
zxc
asd
qaz
win2000
winnt
winxp
win2k
win98
windows
oeminstall
oemuser
oem
user
homeuser
home
accounting
accounts
internet
www
web
outlook
mail
qwerty
null
server
system
changeme
linux
unix
demo
none
test
2004
2002
2001
2000
1234567890
123456789
12345678
1234567
123456
12345
1234
123
007
pwd
pass
pass1234
passwd
password
password1
adm
db2
oracle
dba
database
default
guest
wwwadmin
teacher
student
owner
computer
staff
admins
administrat
administrateur
administrador
administrator


Opens a backdoor by connecting to the IRC server newuslut.parited.net on TCP port 6564, and listening for commands from a remote attacker. These commands may allow a remote attacker to perform some of the following actions:

Perform a Denial of Service (DoS) attack against a target host
Retrieve system information
Connect to a URL
Upload and download files
Execute programs
Log keystrokes
Sniff network packets
Conduct port scans against other computers
Steal the Windows Product ID


Steals CD keys for the following games:

Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights
Soldier of Fortune II - Double Helix
Software\Activision\Soldier of Fortune II - Double Helix
Hidden & Dangerous 2
Chrome
NOX
Command and Conquer: Red Alert 2
Command and Conquer: Red Alert
Command and Conquer: Tiberian Sun
Rainbow Six III RavenShield
Nascar Racing 2003
Nascar Racing 2002
NHL 2003
NHL 2002
FIFA 2003
FIFA 2002
Shogun: Total War: Warlord Edition
Need For Speed: Underground
Need For Speed Hot Pursuit 2
Medal of Honor: Allied Assault: Spearhead
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault
Global Operations
Command and Conquer: Generals
James Bond 007: Nightfire
Command and Conquer: Generals (Zero Hour)
Black and White
Battlefield Vietnam
Battlefield 1942 (Secret Weapons of WWII)
Battlefield 1942 (Road To Rome)
Battlefield 1942
Freedom Force
IGI 2: Covert Strike
Unreal Tournament 2004
Unreal Tournament 2003
Microsoft Windows Product ID
ProductId
Soldiers Of Anarchy
Legends of Might and Magic
Industry Giant 2
Half-Life
Gunman Chronicles
The Gladiators
Counter-Strike

Disable system restore

Then

Click Start > Run.
Type regedit

Then click OK.


Navigate to the keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


In the right pane, delete the value:

"Windows media service"="crvss.exe"


Exit the Registry Editor.

drb1
18-09-2004, 02:40 PM
Spacemannz,

Thats probably him, Why would they want old w2k product keys?

And very little under his name on google too.

D.

Spacemannz
18-09-2004, 03:00 PM
It's a trojan/backdoor. Thats what they do steal information.