Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/kespo - Parasitic Infector Keeps A Detailed Activity Log


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:08 PM

Posted 13 July 2007 - 10:39 PM

AV coverage is present and parasitic PE based threats have been present for years. The interesting development for this new virus was the activity log file. It writes to it as scans the system for vulnerabilities or as it actually infects it.

PE based infectors can spread rapidly to all EXE files where network shares and folders aren't locked down. These "network walkers" can infect dozens and even 00's of files on a PC if shares were publicly open and the virus was able to seed.

This virus could originate as a trojan horse email, website EXE download, or any other method where an EXE file could be shared. I've not seen a virus that keeps a sophisticated log file of all of it's activity like this one. It might be further used by malicious individuals to research any security weaknesses?

W32/Kespo - Parasitic Infector keeps a detailed activity log
http://vil.nai.com/vil/content/v_142549.htm
http://secunia.com/virus_information/40145/kespo.a/

W32/Kespo infects windows executables parasitically, prepending its code to existing files. The DLL and EXE files are pure viral code. The DLL file is injected into the memory space of Explorer. The virus replicates by infecting executable files on local and shared/remote drives.


EXAMPLES OF LOG FILE MAINTAINED BY VIRUS:

The non-executable files are data files or link files. The data files track what the virus has done, and can have content like the following:

3/30/2006 1:03:40 PM - Guardian process started
3/30/2006 1:05:12 PM - Virus service terminated, try to restore it
3/30/2006 1:05:12 PM - Restoring virus service file
3/30/2006 1:05:12 PM - Virus service file restored
3/30/2006 1:05:13 PM - Restarting virus service

or

3/30/2006 1:03:34 PM - K Print Spooler Service starting...
3/30/2006 1:03:35 PM - Scanner for drive C has been created and started
3/30/2006 1:03:35 PM - Scanner for drive D has been created and started
3/30/2006 1:03:35 PM - Mencari di folder D:\
3/30/2006 1:03:36 PM - Scanner for drive E has been created and started
3/30/2006 1:03:36 PM - Scanner for drive F has been created and started
3/30/2006 1:03:36 PM - Scanner for drive G has been created and started
3/30/2006 1:03:36 PM - K Print Spooler Service started
3/30/2006 1:03:38 PM - Mencari di folder D:\System Volume Information
3/30/2006 1:03:39 PM - Guardian process not exists, try create it
3/30/2006 1:03:39 PM - Explorer found (HWND: 65646) injecting it
3/30/2006 1:03:39 PM - Mencari di folder D:\
3/30/2006 1:03:40 PM - Guardian process created


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users