Vollständige Virenbeschreibung

Nume:	TR/Joleee.53248
Descoperit pe data de:	03/11/2009
Tip:	Troian
ITW:	Da
Numar infectii raportate:	Scazut spre mediu
Potential de raspandire:	Scazut
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	53.248 Bytes
MD5:	5210d61c407275a8a2fe9c991a7844e9
Versiune IVDF:	7.01.06.185 - Dienstag, 3. November 2009

General Alias:
   • Mcafee: W32/IRCbot.gen
   • Sophos: Mal/Generic-A
   • Panda: W32/Joleee.J.worm
   • Eset: Win32/IRCBot
   • Bitdefender: Trojan.Generic.1646652

Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere malware
   • Modificari in registri

Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\adsldpcm.exe

Sterge copia initiala a virusului.

Este creat fisierul:

– %SYSDIR%\1962655114.dat

Incearca sa execute urmatoarele fisiere:

– Numele fisierului:
   • %SYSDIR%\adsldpcm.exe;240;%directorul de activare malware%\%fisier executat%

– Numele fisierului:
   • svchost.exe "%SYSDIR%\adsldpcm.exe"

Registrii sistemului Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVWNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardgui.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\outpost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zanda.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caavguiscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DRWEB32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPWin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxservice.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zapro.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashDisp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\preupd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPAVServer.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fpscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\casecuritycenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FAMEH32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz4.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdinit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\arcavir.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\OllyDBG.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfFnUp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVW32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avadmin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashUpd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashEnhcd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zoneband.dll]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Vba32arkit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regmon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navigator.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArcaCheck.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zonealarm.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vba32ldr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVP32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\niu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz_se.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aswUpdSv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsgk32st.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfpupdat.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsav32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zlh.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pskdr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconfig.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcls.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a2service.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwadins.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FSMA32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVSTUB.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashServ.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegTool.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwebupw.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccupdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvcc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\GFRing3.exe]
   • "Debugger"="ntsd -d"

Urmatoarea cheie din registri este modificata:

– [HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   Noua valoare:
   • "DisableRawSecurity"=dword:0x00000001

Backdoor Deschide portul

– 239.255.2**********.2********** pe portul UDP 1900

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Petre Galan am Mittwoch, 7. April 2010
Die Beschreibung wurde geändert von Petre Galan am Mittwoch, 7. April 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools