Nume:WORM/Bagle.GM.1
Descoperit pe data de:27/06/2006
Tip:Vierme
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Mediu
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:95.369 Bytes
MD5:b61763f7768390b6bc7c715b252079e6
Versiune VDF:6.35.00.79
Versiune IVDF:6.35.00.87

 General Metoda de raspandire:
   • Email


Alias:
   •  Symantec: W32.Beagle.FF@mm
   •  Mcafee: W32/Bagle.dldr
   •  Kaspersky: Email-Worm.Win32.Bagle.gm
   •  TrendMicro: WORM_BAGLE.FF
   •  VirusBuster: trojan I-Worm.Bagle.JV
   •  Bitdefender: Win32.Bagle.FG@mm


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca un fisier
   • Descarca un fisier malware
   • Creeaza un fisier
   • Creeaza un fisier malware
   • Utilizeaza propriul motor de email
   • Reduce setarile de securitate
   • Modificari in registri


Afiseaza continutul fisierului imagine creat:


 Fisiere Se copiaza in urmatoarea locatie:
   • %HOME%\Application Data\HIDN\HIDN2.EXE



Sunt create fisierele:

– Creeaza o arhiva ce contine o copie malware:
   • C:\temp.zip

– %HOME%\Application Data\HIDN\M_HOOK.SYS Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Rkit.Bagle.GL

– C:\error.gif



Incearca sa descarce cateva fisiere:

– Adresele sunt urmatoarele:
   • http://ujscie.one.pl/**********
   • http://1point2.iae.nl/**********
   • http://appaloosa.no/**********
   • http://apromed.com/**********
   • http://arborfolia.com/**********
   • http://pawlacz.com/**********
   • http://areal-realt.ru/**********
   • http://bitel.ru/**********
   • http://yetii.no-ip.com/**********
   • http://art4u1.superhost.pl/**********
   • http://www.artbed.pl/**********
   • http://art-bizar.foxnet.pl/**********
   • http://www.jonogueira.com/**********
   • http://asdesign.cz/**********
   • http://ftp-dom.earthlink.net/**********
   • http://www.aureaorodeley.com/**********
   • http://www.autoekb.ru/**********
   • http://www.autovorota.ru/**********
   • http://avenue.ee/**********
   • http://www.avinpharma.ru/**********
   • http://ouarzazateservices.com/**********
   • http://stats-adf.altadis.com/**********
   • http://bartex-cit.com.pl/**********
   • http://bazarbekr.sk/**********
   • http://gnu.univ.gda.pl/**********
   • http://bid-usa.com/**********
   • http://biliskov.com/**********
   • http://biomedpel.cz/**********
   • http://blackbull.cz/**********
   • http://bohuminsko.cz/**********
   • http://bonsai-world.com.au/**********
   • http://bpsbillboards.com/**********
   • http://cadinformatics.com/**********
   • http://canecaecia.com/**********
   • http://www.castnetnultimedia.com/**********
   • http://compucel.com/**********
   • http://continentalcarbonindia.com/**********
   • http://ceramax.co.kr/**********
   • http://prime.gushi.org/**********
   • http://www.chapisteriadaniel.com/**********
   • http://charlesspaans.com/**********
   • http://chatsk.wz.cz/**********
   • http://www.chittychat.com/**********
   • http://checkalertusa.com/**********
   • http://cibernegocios.com.ar/**********
   • http://5050clothing.com/**********
   • http://cof666.shockonline.net/**********
   • http://comaxtechnologies.net/**********
   • http://concellodesandias.com/**********
   • http://www.cort.ru/**********
   • http://donchef.com/**********
   • http://www.crfj.com/**********
   • http://kremz.ru/**********
   • http://dev.jintek.com/**********
   • http://foxvcoin.com/**********
   • http://uwua132.org/**********
   • http://v-v-kopretiny.ic.cz/**********
   • http://erich-kaestner-schule-donaueschingen.de/**********
   • http://vanvakfi.com/**********
   • http://axelero.hu/**********
   • http://kisalfold.com/**********
   • http://vega-sps.com/**********
   • http://vidus.ru/**********
   • http://viralstrategies.com/**********
   • http://svatba.viskot.cz/**********
   • http://Vivamodelhobby.com/**********
   • http://vkinfotech.com/**********
   • http://vytukas.com/**********
   • http://waisenhaus-kenya.ch/**********
   • http://watsrisuphan.org/**********
   • http://www.ag.ohio-state.edu/**********
   • http://wbecanada.com/**********
   • http://calamarco.com/**********
   • http://vproinc.com/**********
   • http://grupdogus.de/**********
   • http://knickimbit.de/**********
   • http://dogoodesign.ch/**********
   • http://systemforex.de/**********
   • http://zebrachina.net/**********
   • http://www.walsch.de/**********
   • http://hotchillishop.de/**********
   • http://innovation.ojom.net/**********
   • http://massgroup.de/**********
   • http://web-comp.hu/**********
   • http://webfull.com/**********
   • http://welvo.com/**********
   • http://www.ag.ohio-state.edu/**********
   • http://poliklinika-vajnorska.sk/**********
   • http://wvpilots.org/**********
   • http://www.kersten.de/**********
   • http://www.kljbwadersloh.de/**********
   • http://www.voov.de/**********
   • http://www.wchat.cz/**********
   • http://www.wg-aufbau-bautzen.de/**********
   • http://www.wzhuate.com/**********
   • http://zsnabreznaknm.sk/**********
   • http://xotravel.ru/**********
   • http://ilikesimple.com/**********
   • http://yeniguntugla.com/**********
Fisierul este stocat pe hard disc la: %SYSDIR%\re_file.exe In plus, acest fisier este executat dupa ce este descarcat de pe Internet. Analiza ulterioara a relevat ca si acest fisier este malware.

– Adresele sunt urmatoarele:
   • http://www.titanmotors.com/images/1/**********
   • http://veranmaisala.com/1/**********
   • http://wklight.nazwa.pl/1/**********
   • http://yongsan24.co.kr/1/**********
   • http://accesible.cl/1/**********
   • http://hotelesalba.com/1/**********
   • http://amdlady.com/1/**********
   • http://inca.dnetsolution.net/1/**********
   • http://www.auraura.com/1/**********
   • http://avataresgratis.com/1/**********
   • http://beyoglu.com.tr/1/**********
   • http://brandshock.com/1/**********
   • http://www.buydigital.co.kr/1/**********
   • http://camaramafra.sc.gov.br/1/**********
   • http://camposequipamentos.com.br/1/**********
   • http://cbradio.sos.pl/1/**********
   • http://c-d-c.com.au/1/**********
   • http://www.klanpl.com/1/**********
   • http://coparefrescos.stantonstreetgroup.com/1/**********
   • http://creainspire.com/1/**********
   • http://desenjoi.com.br/1/**********
   • http://www.inprofile.gr/1/**********
   • http://www.diem.cl/1/**********
   • http://www.discotecapuzzle.com/1/**********
Fisierul este stocat pe hard disc la: %WINDIR%\elist.xpt

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "drv_st_key"="%HOME%\Application Data\hidn\hidn2.exe"



Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– HKLM\SYSTEM\CurrentControlSet\Services\m_hook
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000000
   • "ImagePath"="\??\%HOME%\Application Data\hidn\m_hook.sys"
   • "DisplayName"="Empty"

– HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Security
   • "Security"=%valori hex%

– HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Enum
   • "0"="Root\LEGACY_M_HOOK\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000
   • "Service"="m_hook"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Empty"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000\Control
   • "*NewlyCreated*"=dword:00000000
     "ActiveService"="m_hook"



Se sterge urmatoarea cheie din registri, inclusiv toate valorile si cheile subordnate:
   • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot



Se adauga in registrii sistemului:

– HKCU\Software\FirstRuxzx
   • "FirstRun"=dword:00000001



Urmatoarele chei din registri sunt modificate:

– HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
   Noua valoare:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\Alerter
   Noua valoare:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\Ndisuio
   Noua valoare:
   • "Start"=dword:00000004

Dezactiveaza Windows Firewall:
– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
   Noua valoare:
   • "Start"=dword:00000004

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.
– Adrese obţinute de pe Internet.


Subiect:
Unul din urmatoarele:
   • Ales; Alice; Alyce; Andrew; Androw; Androwe; Ann; Anna; Anne; Annes;
      Anthonie; Anthony; Anthonye; Avice; Avis; Bennet; Bennett; Christean;
      Christian; Constance; Cybil; Daniel; Danyell; Dorithie; Dorothee;
      Dorothy; Edmond; Edmonde; Edmund; Edward; Edwarde; Elizabeth;
      Elizabethe; Ellen; Ellyn; Emanual; Emanuel; Emanuell; Ester; Frances;
      Francis; Fraunces; Gabriell; Geoffraie; George; Grace; Harry; Harrye;
      Henrie; Henry; Henrye; Hughe; Humphrey; Humphrie; Isabel; Isabell;
      James; Jane; Jeames; Jeffrey; Jeffrye; Joane; Johen; John; Josias;
      Judeth; Judith; Judithe; Katherine; Katheryne; Leonard; Leonarde;
      Margaret; Margarett; Margerie; Margerye; Margret; Margrett; Marie;
      Martha; Mary; Marye; Michael; Mychaell; Nathaniel; Nathaniell;
      Nathanyell; Nicholas; Nicholaus; Nycholas; Peter; Ralph; Rebecka;
      Richard; Richarde; Robert; Roberte; Roger; Rose; Rycharde; Samuell;
      Sara; Sidney; Sindony; Stephen; Susan; Susanna; Suzanna; Sybell;
      Sybyll; Syndony; Thomas; Valentyne; William; Winifred; Wynefrede;
      Wynefreed; Wynnefreede



Corpul email-ului:
– Contine cod HTML.
Corpul email-ului este unul din textele:
Uneori incepe cu:

   • I love you
     

   • To the beloved


Continuand cu una dintre urmatoarele:

   • archive password: %cateva cifre aleatoare%

   • Password - %cateva cifre aleatoare%

   • Password -- %cateva cifre aleatoare%

   • Password is %cateva cifre aleatoare%

   • Password: %cateva cifre aleatoare%

   • The password is %cateva cifre aleatoare%

   • Use password %cateva cifre aleatoare% to open archive.

   • Zip password: %cateva cifre aleatoare%


Atasament:
Numele fisierului atasat este alcatuit dupa cum urmeaza:

   • Ales
   • Alice
   • Alyce
   • Andrew
   • Androw
   • Androwe
   • Ann
   • Anna
   • Anne
   • Annes
   • Anthonie
   • Anthony
   • Anthonye
   • Avice
   • Avis
   • Bennet
   • Bennett
   • Christean
   • Christian
   • Constance
   • Cybil
   • Daniel
   • Danyell
   • Dorithie
   • Dorothee
   • Dorothy
   • Edmond
   • Edmonde
   • Edmund
   • Edward
   • Edwarde
   • Elizabeth
   • Elizabethe
   • Ellen
   • Ellyn
   • Emanual
   • Emanuel
   • Emanuell
   • Ester
   • Frances
   • Francis
   • Fraunces
   • Gabriell
   • Geoffraie
   • George
   • Grace
   • Harry
   • Harrye
   • Henrie
   • Henry
   • Henrye
   • Hughe
   • Humphrey
   • Humphrie
   • Isabel
   • Isabell
   • James
   • Jane
   • Jeames
   • Jeffrey
   • Jeffrye
   • Joane
   • Johen
   • John
   • Josias
   • Judeth
   • Judith
   • Judithe
   • Katherine
   • Katheryne
   • Leonard
   • Leonarde
   • Margaret
   • Margarett
   • Margerie
   • Margerye
   • Margret
   • Margrett
   • Marie
   • Martha
   • Mary
   • Marye
   • Michael
   • Mychaell
   • Nathaniel
   • Nathaniell
   • Nathanyell
   • Nicholas
   • Nicholaus
   • Nycholas
   • Peter
   • Ralph
   • Rebecka
   • Richard
   • Richarde
   • Robert
   • Roberte
   • Roger
   • Rose
   • Rycharde
   • Samuell
   • Sara
   • Sidney
   • Sindony
   • Stephen
   • Susan
   • Susanna
   • Suzanna
   • Sybell
   • Sybyll
   • Syndony
   • Thomas
   • Valentyne
   • William
   • Winifred
   • Wynefrede
   • Wynefreed
   • Wynnefreede

    Extensia fisierului este una din urmatoarele:
   • zip

Atasamentul este o arhiva ce contine chiar o copie malware.



Email-ul arata astfel:


 Email Adrese email colectate:
Colectează adrese de email contactând următorele site-uri:
   • http://www.titanmotors.com/images/1/**********
   • http://veranmaisala.com/1/**********
   • http://wklight.nazwa.pl/1/**********
   • http://yongsan24.co.kr/1/**********
   • http://accesible.cl/1/**********
   • http://hotelesalba.com/1/**********
   • http://amdlady.com/1/**********
   • http://inca.dnetsolution.net/1/**********
   • http://www.auraura.com/1/**********
   • http://avataresgratis.com/1/**********
   • http://beyoglu.com.tr/1/**********
   • http://brandshock.com/1/**********
   • http://www.buydigital.co.kr/1/**********
   • http://camaramafra.sc.gov.br/1/**********
   • http://camposequipamentos.com.br/1/**********
   • http://cbradio.sos.pl/1/**********
   • http://c-d-c.com.au/1/**********
   • http://www.klanpl.com/1/**********
   • http://coparefrescos.stantonstreetgroup.com/1/**********
   • http://creainspire.com/1/**********
   • http://desenjoi.com.br/1/**********
   • http://www.inprofile.gr/1/**********
   • http://www.diem.cl/1/**********
   • http://www.discotecapuzzle.com/1/**********


Rezolvarea adreselor internet:
Se poate conecta la serverul DNS:
   • 217.5.97.137

 Terminarea proceselor Incearca sa inchida urmatoarele procese si sa stearga fisierele corespunzatoare:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; a2guard.exe; aavshield.exe;
      AckWin32.exe; ADVCHK.EXE; AhnSD.exe; airdefense.exe; ALERTSVC.EXE;
      ALMon.exe; ALOGSERV.EXE; ALsvc.exe; amon.exe; Anti-Trojan.exe;
      AntiVirScheduler; AntiVirService; ANTS.EXE; APVXDWIN.EXE;
      Armor2net.exe; ashAvast.exe; ashDisp.exe; ashEnhcd.exe; ashMaiSv.exe;
      ashPopWz.exe; ashServ.exe; ashSimpl.exe; ashSkPck.exe; ashWebSv.exe;
      aswUpdSv.exe; ATCON.EXE; ATUPDATER.EXE; ATWATCH.EXE; AUPDATE.EXE;
      AUTODOWN.EXE; AUTOTRACE.EXE; AUTOUPDATE.EXE; avciman.exe;
      Avconsol.exe; AVENGINE.EXE; avgamsvr.exe; avgcc.exe; AVGCC32.EXE;
      AVGCTRL.EXE; avgemc.exe; avgfwsrv.exe; AVGNT.EXE; avgntdd; avgntmgr;
      AVGSERV.EXE; AVGUARD.EXE; avgupsvc.exe; avinitnt.exe; AvkServ.exe;
      AVKService.exe; AVKWCtl.exe; AVP.EXE; AVP32.EXE; avpcc.exe; avpm.exe;
      AVPUPD.EXE; AVSCHED32.EXE; avsynmgr.exe; AVWUPD32.EXE; AVWUPSRV.EXE;
      AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE; BackWeb-4476822.exe;
      bdmcon.exe; bdnews.exe; bdoesrv.exe; bdss.exe; bdsubmit.exe;
      bdswitch.exe; blackd.exe; blackice.exe; cafix.exe; ccApp.exe;
      ccEvtMgr.exe; ccProxy.exe; ccSetMgr.exe; CFIAUDIT.EXE; ClamTray.exe;
      ClamWin.exe; Claw95.exe; Claw95cf.exe; cleaner.exe; cleaner3.exe;
      CliSvc.exe; CMGrdian.exe; cpd.exe; DefWatch.exe; DOORS.EXE;
      DrVirus.exe; drwadins.exe; drweb32w.exe; drwebscd.exe; DRWEBUPW.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ewidoctrl.exe;
      EzAntivirusRegistrationCheck.exe; F-AGNT95.EXE; FAMEH32.EXE; FAST.EXE;
      FCH32.EXE; FireSvc.exe; FireTray.exe; FIREWALL.EXE; fpavupdm.exe;
      F-PROT95.EXE; freshclam.exe; FRW.EXE; fsav32.exe; fsavgui.exe;
      fsbwsys.exe; F-Sched.exe; fsdfwd.exe; FSGK32.EXE; fsgk32st.exe;
      fsguiexe.exe; FSM32.EXE; FSMA32.EXE; FSMB32.EXE; fspex.exe;
      fssm32.exe; F-StopW.EXE; gcasDtServ.exe; gcasServ.exe;
      GIANTAntiSpywareMain.exe; GIANTAntiSpywareUpdater.exe; GUARD.EXE;
      GUARDGUI.EXE; GuardNT.exe; HRegMon.exe; Hrres.exe; HSockPE.exe;
      HUpdate.EXE; iamapp.exe; iamserv.exe; ICLOAD95.EXE; ICLOADNT.EXE;
      ICMON.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IFACE.EXE;
      INETUPD.EXE; InocIT.exe; InoRpc.exe; InoRT.exe; InoTask.exe;
      InoUpTNG.exe; IOMON98.EXE; isafe.exe; ISATRAY.EXE; ISRV95.EXE;
      ISSVC.exe; JEDI.EXE; KAV.exe; kavmm.exe; KAVPF.exe; KavPFW.exe;
      KAVStart.exe; KAVSvc.exe; KAVSvcUI.EXE; KMailMon.EXE; KPfwSvc.EXE;
      KWatch.EXE; livesrv.exe; LOCKDOWN2000.EXE; LogWatNT.exe; lpfw.exe;
      LUALL.EXE; LUCOMSERVER.EXE; Luupdate.exe; MCAGENT.EXE; mcmnhdlr.exe;
      mcregwiz.exe; Mcshield.exe; MCUPDATE.EXE; mcvsshld.exe; MINILOG.EXE;
      MONITOR.EXE; MonSysNT.exe; MOOLIVE.EXE; MpEng.exe; mpssvc.exe;
      MSMPSVC.exe; myAgtSvc.exe; myagttry.exe; navapsvc.exe; NAVAPW32.EXE;
      NavLu32.exe; NAVW32.EXE; NDD32.EXE; NeoWatchLog.exe; NeoWatchTray.exe;
      NISSERV; NISUM.EXE; NMAIN.EXE; nod32.exe; nod32krn.exe; nod32kui.exe;
      NORMIST.EXE; notstart.exe; npavtray.exe; NPFMNTOR.EXE; npfmsg.exe;
      NPROTECT.EXE; NSCHED32.EXE; NSMdtr.exe; NssServ.exe; NssTray.exe;
      ntrtscan.exe; NTXconfig.exe; NUPGRADE.EXE; NVC95.EXE; Nvcod.exe;
      Nvcte.exe; Nvcut.exe; NWService.exe; OfcPfwSvc.exe; OUTPOST.EXE;
      PAV.EXE; PavFires.exe; PavFnSvr.exe; Pavkre.exe; PavProt.exe;
      pavProxy.exe; pavprsrv.exe; pavsrv51.exe; PAVSS.EXE; pccguide.exe;
      PCCIOMON.EXE; pccntmon.exe; PCCPFW.exe; PcCtlCom.exe; PCTAV.exe;
      PERSFW.EXE; pertsk.exe; PERVAC.EXE; PNMSRV.EXE; POP3TRAP.EXE;
      POPROXY.EXE; prevsrv.exe; PsImSvc.exe; QHM32.EXE; QHONLINE.EXE;
      QHONSVC.EXE; QHPF.EXE; qhwscsvc.exe; RavMon.exe; RavTimer.exe;
      Realmon.exe; REALMON95.EXE; Rescue.exe; rfwmain.exe; Rtvscan.exe;
      RTVSCN95.EXE; RuLaunch.exe; SAVAdminService.exe; SAVMain.exe;
      savprogress.exe; SAVScan.exe; SCAN32.EXE; ScanningProcess.exe;
      sched.exe; sdhelp.exe; SERVIC~1.EXE; SHSTAT.EXE; SiteCli.exe; smc.exe;
      SNDSrvc.exe; SPBBCSvc.exe; SPHINX.EXE; spiderml.exe; spidernt.exe;
      Spiderui.exe; SpybotSD.exe; SPYXX.EXE; SS3EDIT.EXE; stopsignav.exe;
      swAgent.exe; swdoctor.exe; SWNETSUP.EXE; symlcsvc.exe;
      SymProxySvc.exe; SymSPort.exe; SymWSC.exe; SYNMGR.EXE; TAUMON.EXE;
      TBMon.exe; TC.EXE; tca.exe; TCM.EXE; TDS-3.EXE; TeaTimer.exe;
      TFAK.EXE; THAV.EXE; THSM.EXE; Tmas.exe; tmlisten.exe; Tmntsrv.exe;
      TmPfw.exe; tmproxy.exe; TNBUtil.exe; TRJSCAN.EXE; Up2Date.exe;
      UPDATE.EXE; UpdaterUI.exe; upgrepl.exe; Vba32ECM.exe; Vba32ifs.exe;
      vba32ldr.exe; Vba32PP3.exe; VBSNTW.exe; vchk.exe; vcrmon.exe;
      VetTray.exe; VirusKeeper.exe; VPTRAY.EXE; vrfwsvc.exe; VRMONNT.EXE;
      vrmonsvc.exe; vrrw32.exe; VSECOMR.EXE; Vshwin32.exe; vsmon.exe;
      vsserv.exe; VsStat.exe; WATCHDOG.EXE; WebProxy.exe; Webscanx.exe;
      WEBTRAP.EXE; WGFE95.EXE; Winaw32.exe; winroute.exe; winss.exe;
      winssnotify.exe; WRADMIN.EXE; WRCTRL.EXE; xcommsvr.exe; zatutor.exe;
      ZAUINST.EXE; zlclient.exe; zonealarm.exe


 Alte informatii Conexiune internet:
Pentru a verifica legatura la internet se conecteaza la urmatorul server DNS:
   • 217.5.97.137


Cauta o conexiune Internet, contactand urmatorul website:
   • smtp.google.com

 Tehnologie Rootkit  Este o tehnologie specifica malware. Acesta se ascunde de programele sistemului, de aplicatiile de securitate si in cele din urma, de utilizator.


Ascunde urmatoarele:
– Propriile fisiere
– Propriul proces
– Propriile chei de registru

– Urmatoarele fisiere:
   • hidires
   • hidn
   • hidn.exe
   • hidn1.exe
   • hidn2.exe
   • hidr.exe
   • hldrrr.exe
   • ldr64.dll
   • m_hook.sys
   • shared
   • wintems.exe
   • flec006.exe

– Urmatoarele directoare:
   • hidires
   • hidn
   • hidn.exe
   • hidn1.exe
   • hidn2.exe
   • hidr.exe
   • hldrrr.exe
   • ldr64.dll
   • m_hook.sys
   • shared
   • wintems.exe
   • flec006.exe


Metoda folosita:
    • Ascuns de Windows API

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Ionut Slaveanu am Donnerstag, 29. Juni 2006
Die Beschreibung wurde geändert von Ionut Slaveanu am Montag, 3. Juli 2006

zurück . . . .