stop the exploit. block the virus.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Sykel Alert

infectionvectors.com

September 2004

 

Vector:             LSASS exploit/MyDoom/KaZaA/ICQ

 

Impact:             Low (consumes local resources, generates mail traffic)

 

Sykel is the second Trojan dropped my MyDoom (the first being Nemog). This Trojan spreads via KaZaA fileshares and includes its own worm-like propagation mechanism, the LSASS buffer overrun.

 

Sykel attempts to connect to the following in an attempt to download MyDoom and Nemog:

 

In addition, Sykel sends the following to ICQ contacts on the infected box:

fun game http:/ /www.scionic[DO NOT FOLLOW] music.com/ajr/game.exe =)

funny flash-game :)) http:/ /69.93[DO NOT FOLLOW].58.116/game.exe

funy game http:/ /www.sc[DO NOT FOLLOW] ionicmusic.com/ajr/game.exe =))

http:/ /64.40.98.94/ico[DO NOT FOLLOW] n/icon.exe

http:/ /64.40.98.94/icon/ico[DO NOT FOLLOW] n.exe funny :D

http:/ /www.llc. [DO NOT FOLLOW] unibo.it/claroline142/photo.exe i cried :-D

http:/ /www.llc.unibo.it/claroli[DO NOT FOLLOW] ne142/photo.exe lol =))

i now play in game http:/ /www.scioni[DO NOT FOLLOW] cmusic.com/ajr/game.exe :-):-)

it's all about you http:/ /69.93. [DO NOT FOLLOW] 58.116/game.exe :)

my photos (archived) http:/ /www.llc.uni [DO NOT FOLLOW] bo.it/claroline142/photo.exe

whoah! check this out! (self-extracting archive)

 

These URLs are pointers to MyDoom/Nemog files. Do not access.

 

It copies itself using the following names to KaZaA shares:

1.exe

antibush.scr

childporno.pif

crazzygirls.scr

dap53 crack.exe

dap53.exe

dap71.exe

dvdplayer.exe

eroticgirls2.0.exe

fantasy.scr

hello.pif

icq2004-final.exe

icqcrack.exe

icqlite.exe

icqpro2003b crack.exe

icqpro2003b.exe

iMeshV4 crack.exe

iMeshV4.exe

kmd.exe

LimeWireWin.exe

matrix.scr

matrix.scr

Morpheus.exe

myfack.pif

mylove.pif

mymusic.pif

newvirus.exe

nicegirlsshowv12.scr

opera7.7.exe

opera7.x crack.exe

pinguin5.exe

rulezzz.scr

trillian 2.0 crack.exe

trillian-v2.74h.exe

tropicallagoonss.scr

winamp5.exe

winamp6.exe

WinZip 9.0 crack.exe

WinZip 9.0.exe

wrar330 crack.exe

wrar330.exe

you the best.scr

zlsSetup_45_538_001.exe

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.