techian.com

A Blog With No Limits

Advertisement

Drivemonitor.exe flashguard.exe driveguard.exe

Posted on August 3, 2008 by admin

Drivemonitor.exe flashguard.exe driveguard.exe
all are same..invariants of Win32.Worm.Autoit.AL

Spreading: low
Damage: medium
Size: 212 Kb
Discovered: 2008 Jul 24

The presence of

%programfiles%FlashGuardFlashGuard.exe
%windrive%FlashGuardReadMe.txt
%windrive%FlashGuardFlashGuard.exe

The presence of autorun.inf on removable drives that contains

[autorun]
open=SystemSecurityDriveGuard.exe -run
shellOpen=&Open
shellOpenCommand=SystemSecurityDriveGuard.exe -run
shellExplore=&Explore
shellExploreCommand=SystemSecurityDriveGuard.exe -run

technical description:
This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

The malicious file would copy itself to %programfiles%FlashGuardFlashGuard.exe

It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. ”

It creates the following registry keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunFlashGuard
with the value “%windrive%FlashGuardFlashGuard.exe” -run

HKCUSoftwareMicrosoftWindowsCurrentVersionRunFlashGuard
with the value “%windrive%FlashGuardFlashGuard.exe” -run

Copies the readme file to %windrive%FlashGuardReadMe.txt

It checks if any of the following processes are running,
iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
Program FilesInternet Exploreriexplore.exe,
system32svchost.exe,
system32lsass.exe,
system32csrss.exe,
system32alg.exe,
system32winlogon.exe,
system32smss.exe,
system32spoolsv.exe,
system32taskmgr.exe
the process would terminated and the file would get renamed with a “.bak” extension

this worm will remove all files from C:heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%SystemSecurityDriveGuard.exe with hidden attribute

payload:

will download from http://[removed]/lndexnew.jpg
and http://[removed]/lndexnew.txt
executable files that will be copied to temporary directory with a random name
and reg key HKLMsoftwaremicrosoftwindowscurrentversionRunOncetemp_cleanup
with value “%temp_path%[random].exe” will be created
All downloaded files are backdoors

Popularity: 4% [?]

If you like this post then why not share it with others by bookmarking it? Please Bookmark it:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogosphere News
  • LinkedIn
  • PDF
  • SphereIt
  • StumbleUpon
  • Technorati
  • TwitThis
  • Yahoo! Buzz

Tagged as: ,

Comments

No Responses to “Drivemonitor.exe flashguard.exe driveguard.exe”

Write a Comment