Vollständige Virenbeschreibung

Name:	TR/Joleee.53248
Entdeckt am:	03/11/2009
Art:	Trojan
In freier Wildbahn:	Ja
Gemeldete Infektionen:	Niedrig bis mittel
Verbreitungspotenzial:	Niedrig
Schadenspotenzial:	Niedrig bis mittel
Statische Datei:	Ja
Dateigröße:	53.248 Bytes
MD5 Prüfsumme:	5210d61c407275a8a2fe9c991a7844e9
IVDF Version:	7.01.06.185 - Dienstag, 3. November 2009

General Aliases:
   • Mcafee: W32/IRCbot.gen
   • Sophos: Mal/Generic-A
   • Panda: W32/Joleee.J.worm
   • Eset: Win32/IRCBot
   • Bitdefender: Trojan.Generic.1646652

Betriebsysteme:
   • Windows 2000
   • Windows XP
   • Windows 2003

Auswirkungen:
   • Erstellt schädliche Dateien
   • Änderung an der Registry

Dateien Eine Kopie seiner selbst wird hier erzeugt:
   • %SYSDIR%\adsldpcm.exe

Die anfänglich ausgeführte Kopie der Malware wird gelöscht.

Es wird folgende Datei erstellt:

– %SYSDIR%\1962655114.dat

Es versucht folgende Dateien auszuführen:

– Dateiname:
   • %SYSDIR%\adsldpcm.exe;240;%Verzeichnis in dem die Malware ausgeführt wurde%\%ausgeführte Datei%

– Dateiname:
   • svchost.exe "%SYSDIR%\adsldpcm.exe"

Registry Folgende Registryschlüssel werden hinzugefügt:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVWNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardgui.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\outpost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zanda.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caavguiscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DRWEB32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPWin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxservice.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zapro.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashDisp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\preupd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPAVServer.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fpscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\casecuritycenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FAMEH32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz4.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdinit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\arcavir.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\OllyDBG.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfFnUp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVW32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avadmin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashUpd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashEnhcd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zoneband.dll]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Vba32arkit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regmon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navigator.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArcaCheck.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zonealarm.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vba32ldr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVP32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\niu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz_se.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aswUpdSv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsgk32st.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfpupdat.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsav32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zlh.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pskdr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconfig.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcls.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a2service.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwadins.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FSMA32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVSTUB.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashServ.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegTool.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwebupw.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccupdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvcc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\GFRing3.exe]
   • "Debugger"="ntsd -d"

Folgender Registryschlüssel wird geändert:

– [HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   Neuer Wert:
   • "DisableRawSecurity"=dword:0x00000001

Hintertür Der folgende Port wird geöffnet:

– 239.255.2**********.2********** am UDP Port 1900

Datei Einzelheiten Laufzeitpacker:
Um eine Erkennung zu erschweren und die Größe der Datei zu reduzieren wurde sie mit einem Laufzeitpacker gepackt.

Die Beschreibung wurde erstellt von Petre Galan am Mittwoch, 7. April 2010
Die Beschreibung wurde geändert von Petre Galan am Mittwoch, 7. April 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools