Nume:TR/Vundo.GJ
Descoperit pe data de:22/04/2008
Tip:Troian
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Mediu
Fisier static:Da
Marime:cae29e9c911460048ce400648af77e34 Bytes
MD5:39.936
Versiune IVDF:7.00.03.199 - Dienstag, 22. April 2008

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Mcafee: Vundo trojan
   •  Kaspersky: not-a-virus:AdWare.Win32.Virtumonde.qpf
   •  Eset: Win32/Adware.Virtumonde application
   •  Bitdefender: Trojan.Vundo.EIK


Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

 Registrii sistemului Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   %dll malware%]
   • "Asynchronous"=dword:00000001
   • "DllName"="%dll malware%"
   • "Impersonate"=dword:00000000
   • "Logon"="o"
   • "Logoff"="f"

– [HKLM\SOFTWARE\Microsoft\d8813c90]
   • @="819C098AB2CE4E24876D1D52A06FBEFD&"

– [HKCR\CLSID\{%CLSID generate%}\InprocServer32]
   • @="%directorul de activare malware%\%dll malware%"
   • "ThreadingModel"="Both"

 Terminarea proceselor Lista cu procesele oprite:
   • VBA32LDR.EXE; ccSetMgr.exe; ccEvtMgr.exe; Rtvscan.exe; VPtray.exe;
      SDtrayApp.exe; swdsvc.exe; svcntaux.exe; SpySweeperUI.exe;
      SpySweeper.exe; SAVAdminService.exe; ALsvc.exe; ALMon.exe;
      CCSVCHST.exe; npfsvc32.exe; nvcshed.exe; nvoy.exe; nprosec.exe;
      egui.exe; ekrn.exe; nod32krn.exe; nod32kui.exe; winssUI.exe;
      winssintro.exe; winssnotify.exe; winss.exe; mcvsescn.exe;
      mcvsshld.exe; mcagent.exe; mcvsrte.exe; Mcshield.exe; UdaterUI.exe;
      Mctray.exe; AVP.exe; FSAV32.exe; fssm32.exe; FSGK32.exe; fsgk32st.exe;
      spiderml.exe; drwebscd.exe; spidernt.exe; vsserv.exe; BDSS.exe;
      livesrv.exe; XCOMMSVR.EXE; avgemc.exe; avgcc.exe; avgamsvr.exe;
      avgupsvc.exe; ashWebSv.exe; ashDisp.exe; ashServ.exe; aswUpdSv.exe;
      AVGNT.EXE; AVWEBGRD.EXE; AVESVC.EXE; AVFWSVC.EXE; AVGUARD.EXE;
      BEDVavguard.exe; avgnt.exe; aawservice.exe; AD-AWARE.EXE;
      GCASSERVALERT.EXE


 Backdoor Servere contactate:
Unul dintre:
   • http://82.98.235.70**********
   • http://65.243.103.80**********

Astfel se pot transmite informatii si se poate obtine control la distanta.

Posibilitati de control la distanta:
    • descarcare fisier

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Thomas Wegele am Mittwoch, 7. Mai 2008
Die Beschreibung wurde geändert von Thomas Wegele am Mittwoch, 7. Mai 2008

zurück . . . .