Vollständige Virenbeschreibung

Nume:	BDS/Mirc-based.K.5
Descoperit pe data de:	23/12/2008
Tip:	Backdoor Server
ITW:	Da
Numar infectii raportate:	Scazut spre mediu
Potential de raspandire:	Mediu spre ridicat
Potential de distrugere:	Mediu spre ridicat
Fisier static:	Da
Marime:	782.336 Bytes
MD5:	375306f0f224df1542b0343d5756b8a5
Versiune IVDF:	7.01.01.27 - Dienstag, 23. Dezember 2008

General Metoda de raspandire:
   • Infecteaza fisiere

Alias:
   • Mcafee: W32/Virut.gen
   • Sophos: W32/Vetor-A
   • Panda: W32/Virutas.gen
   • Eset: Win32/Virut.Q
   • Bitdefender: IRC-Worm.Generic.4269

Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Infecteaza fisiere
   • Reduce setarile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

Fisiere Sunt create fisierele:

– %PROGRAM FILES%\mIRC\IRC Bot\control.ini
– %PROGRAM FILES%\mIRC\IRC Bot\remote.ini
– %PROGRAM FILES%\mIRC\IRC Bot\svchost.exe
– %PROGRAM FILES%\mIRC\IRC Bot\Anjing_Malingsia.sys
– %PROGRAM FILES%\mIRC\IRC Bot\Stupid.sys
– %PROGRAM FILES%\Microsoft Office
– %PROGRAM FILES%\mIRC\IRC Bot\fuck.sys
– %PROGRAM FILES%\mIRC\IRC Bot\kontol.mrc
– %PROGRAM FILES%\mIRC\IRC Bot\perampok_budaya.sys
– %PROGRAM FILES%\mIRC\IRC Bot\Nama_Anjing.sys
– %PROGRAM FILES%\mIRC\IRC Bot\Channel_Babi.sys
– %PROGRAM FILES%\mIRC\IRC Bot\Nama_Babi.sys
– %PROGRAM FILES%\mIRC\IRC Bot\Asshole.sys

Registrii sistemului Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe, %PROGRAM FILES%\Microsoft Office\WINWORD.EXE"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Acha.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\wscript.exe]
   • "Debugger"="rundll32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AmyMastura.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001
   • "FirstRunDisabled"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\registry.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\csrsz.exe]
   • "Debugger"="cmd.exe /c del"

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   Noua valoare:
   • "EnableLUA"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Noua valoare:
   • "ShowSuperHidden"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000

– [HKLM\SOFTWARE\Classes\exefile]
   Noua valoare:
   • "NeverShowExt"=""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Noua valoare:
   • "CheckedValue"=dword:0x00000000
   • "DefaultValue"=dword:0x00000000
   • "UncheckedValue"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Noua valoare:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Noua valoare:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   Noua valoare:
   • "load"=""

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Noua valoare:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\WinDefend]
   Noua valoare:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

Infectie de fisiere Tip de infector:

Appender - Codul virusului este adaugat la sfarsitul fisierului infectat.
– Codul virusului este introdus in ultima sectiune a fisierului infectat.

Evitarea detectiei:

Polimorfism - Intregul cod viral se schimba la fiecare infectie. Virusul contine un motor polimorfic.

Metoda:

Virusul cauta in mod activ fisiere pe care sa le infecteze apoi isi termina executia.

Virusul ramane activ in memorie in timp ce infecteaza fisiere.

Dimensiunea codului malitios adaugat:

- 11.264 Bytes

Urmatorul fisier este infectat:

Dupa tipul fisierelor:
• .exe

IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverele IRC:

Server: proxim.irc**********.pl
Port: 80
Canal: &virtu
Nick: %combinatie de caractere aleatoare%

Server: srv201.cy**********.name
Port: 80
Canal: &virtu
Nick: %combinatie de caractere aleatoare%

Server: 60.190.2**********.1**********
Port: 80
Canal: &virtu
Nick: %combinatie de caractere aleatoare%

Injectarea codului malware in alte procese – Se injecteaza ca un thread remote intr-un proces.

    Numele procesului:
   • winlogon.exe

– Injecteaza o rutina backdoor intr-un proces.

    Numele procesului:
   • %toate procesele active%

Tehnologie Rootkit Se ataseaza la urmatoarele functii API:
   • NtCreateFile
   • NtOpenFile
   • NtCreateProcess
   • NtCreateProcessEx

Die Beschreibung wurde erstellt von Petre Galan am Montag, 22. März 2010
Die Beschreibung wurde geändert von Petre Galan am Mittwoch, 24. März 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools