Vollständige Virenbeschreibung

Nume:	TR/VB.Inject.61441.DA
Descoperit pe data de:	12/03/2010
Tip:	Troian
ITW:	Da
Numar infectii raportate:	Scazut spre mediu
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	61.441 Bytes
MD5:	7cc9b28b3279b99fbf294180df9e4ecd
Versiune IVDF:	7.10.05.64 - Freitag, 12. März 2010

General Metoda de raspandire:
   • Functia autorun
   • Reteaua locala
   • Messenger

Alias:
   • Mcafee: W32/IRCbot virus
   • Sophos: Mal/VBInject-D
   • Panda: Trj/Kreeper.H
   • Eset: Win32/AutoRun.KS
   • Bitdefender: Trojan.Generic.3546827

Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Descarca un fisier malware
   • Creeaza fisiere malware
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarele locatii:
   • %unitate disc%\%CLSID%\Mars1.exe
   • %unitate disc%\%numele computerului%\%numele computerului%\%numele computerului%x1.exe

Sunt create fisierele:

– %unitate disc%\%numele computerului%\%numele computerului%\Desktop.ini
– %unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %cod care ruleaza fisierul malitios%

Incearca sa descarce un fisier:

– Adresa este urmatoarea:
   • http://1.img-myspace.info/net/**********

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "InternetServics1"="C:\%CLSID%\Mars1.exe"

Messenger Se raspandeste prin messenger. Caracteristicile sunt:

– MSN Messenger
– Yahoo Messenger

URL-ul trimte la o copie a malware-ului descris. Daca utilizatorul descarca si executa acest fisier, procesul de infectare porneste din nou.

Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:

Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)

IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverele IRC:

Server: march.psy**********.cz
Port: 4949
Nick: VirUs-hlrjbr

Server: march.bot**********.info
Port: 4949
Nick: VirUs-hlrjbr

Fisiere host Fisierul

– Accesul la urmatoarele domenii este redirectionat catre alte destinatii:
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; www.nabble.com; lurker.clamav.net;
      lexikon.ikarus.at; research.sunbelt-software.com; www.virusdoctor.jp;
      www.elitepvpers.de; guru.avg.com; downloads.sophos.com;
      share.skype.com; myantispyware.com; www.superuser.co.kr; ntfaq.co.kr;
      v.dreamwiz.com; cit.kookmin.ac.kr; forums.whatthetech.com;
      forum.hijackthis.de; avg.vo.llnwd.net; ftp.drweb.com;
      www.zonealarm.com; smadaver.com; support.emsisoft.com;
      www.huaifai.go.th; www.mostz.com; www.krupunmai.com;
      www.cddchiangmai.net; forum.malekal.com; tech.pantip.com;
      sapcupgrades.com; www.elguruinformatico.com; forums.avg.com;
      zastita.com; support.kaspersky.com; www.247fixes.com;
      forum.sysinternals.com; forum.telecharger.01net.com; sophos.com;
      foros.softonic.com; avast-home.uptodown.com;
      dr-web-cureit.softonic.com; heavenward.ru; forum.smadav.net;
      www.forum.kaspersky.com; www.f-secure.com; www.chkrootkit.org;
      diamondcs.com.au; www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; www.castlecrops.com;
      www.misec.net; safecomputing.umn.edu; www.antirootkit.com;
      www.greatis.com; ar.answers.yahoo.com; www.elhacker.org;
      research.pandasecurity.com; www.tpu.ro; www.pinoyden.com;
      www.rootkit.com; www.pctools.com; www.pcsupportadvisor.com;
      www.resplendence.com; www.personal.psu.edu; foro.ethek.com;
      foro.elhacker.net; download.zonealarm.com; spywarehammer.com;
      www.codelain.com; vil.nail.com; search.mcafee.com; wwww.mcafee.com;
      download.nai.com; wwww.experts-exchange.com; www.bakunos.com;
      www.darkclockers.com; www2.gmer.net; ariefew.com; www.emsisoft.com;
      forum.romeonet.ro; www.Merijn.org; www.spywareinfo.com;
      www.spybot.info; www.viruslist.com; www.hijackthis.de;
      ftp.f-secure.com; forum.kaspersky.com; es.trendmicro-europe.com;
      www.hvaonline.net; forum.lowyat.net; kb.eset.com; majorgeeks.com;
      www.avp.com; www.virustotal.com; www.sophos.com;
      linhadefensiva.uol.com.br; cmmings.cn; www.sergiwa.com;
      www.el-hacker.com; dl2.agnitum.com; forum.smadav.net;
      images.malwareremoval.com; www.avg-antivirus.net;
      www.kaspersky-labs.com; www.kaspersky.com; www.bleepingcomputer.com;
      www.free.grisoft.com; alerta-antivirus.inteco.es; greatis.com;
      www.oprekpc.com; www.gmer.net; forum.kasperskyclub.com;
      securityresponse.symantec.com; www.analysis.seclab.tuwien.ac.at;
      www.symantec.com; www.kztechs.com; ad-aware-se.uptodown.com;
      stdio-labs.blogspot.com; forum.lrytas.lt; www.decido.de;
      wap.elakiri.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
      www.box.net; foro.el-hacker.com; acs.pandasoftware.com;
      egavisa.blogspot.com; angui123.cn; beta.eset.com; www.mcafee.com;
      www.free.avg.com; download.mcafee.com; mast.mcafee.com;
      www.tecno-soft.com; ladooscuro.es; ftp.drweb.com;
      download.microsoft.com; www.mypcsafe.com; www.blindedbytech.com;
      kaspersky.com; guru0.grisoft.cz; guru1.grisoft.cz; guru2.grisoft.cz;
      guru3.grisoft.cz; download.bleepingcomputer.com; it.answers.yahoo.com;
      www.softonic.com; www.mycity.rs; cairopt.net;
      rootrepeal.googlepages.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; hjt-data.trend-braintree.com;
      www.pantip.com; secubox.aldria.com; www.forospyware.com;
      www.manuelruvalcaba.com; www.zonavirus.com; www.leforo.com;
      www.gsmph.com; blokvesti.net; www.viprasys.org; www.siteadvisor.com;
      blog.threatfire.com; www.threatexpert.com; blog.hispasec.com;
      www.configurarequipos.com; sosvirus.changelog.fr; www.psicofxp.com;
      www.gsmph.net; www.gyakorikerdesek.hu; us.mcafee.com;
      mailcenter.rising.com.cn; mailcenter.rising.com; www.rising.com.cn;
      www.rising.com; www.babooforum.com.br; www.runscanner.net;
      www.blogschapines.com; www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      sosvirus.changelog.fr; upload.changelog.fr; www.raymond.cc;
      changelog.fr; www.pcentraide.com; atazita.blogspot.com;
      www.thinkpad.cn; www.sunbeltsoftware.com; cert.inteco.es;
      www.gamexeon.com; nod32-antivirus.en.softonic.co; www.final4ever.com;
      files.filefont.com; www.infos-du-net.com; www.trendsecure.com;
      forum.hardware.fr; www.utilidades-utiles.com; blogs.icerocket.com;
      www.spywarefri.dk; alfrasha.maktoob.com; www.eset.eu;
      www.spychecker.com; www.geekstogo.com; forums.maddoktor2.com;
      www.smokey-services.eu; www.clubic.com; www.linhadefensiva.org;
      www.rolandovera.com; forum.burek.com; secure.sophos.com;
      usa.kaspersky.com; download.sysinternals.com; www.pcguide.com;
      www.thetechguide.com; www.ozzu.com; www.changedetection.com;
      espanol.groups.yahoo.com; www.sunbeltsecurity.com;
      www.quickheal.co.in; www.vivalared.com; community.thaiware.com;
      www.avpclub.ddns.info; www.offensivecomputing.net; www.grisoft.com;
      boardreader.com; www.guiadohardware.net; www.webroot.com;
      www.thehelper.net; www.kaldata.com; vil.nai.com;
      www.msnvirusremoval.com; www.cisrt.org; fixmyim.com; samroeng.hi5.com;
      foro.elhacker.net; www.daboweb.com; service1.symantec.com;
      us3.download.comodo.com; forum.gsmhosting.com; www.computerforum.com;
      forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; downloads.andymanchesta.com;
      andymanchesta.com; info.prevx.com; aknow.prevx.com; www.zonavirus.com;
      securitywonks.net; www.yoreparo.com; www.spywarecease.com;
      forum.dobreprogramy.pl; community.mcafee.com; www.lavasoft.com;
      www.virscan.org; www.eeload.com; down.www.kingsoft.com; www.file.net;
      onecare.live.com; mvps.org; www.laneros.com; www.pc1news.com;
      forum.avira.com; downloads.novirusthanks.org;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.futurenow.bitdefender.com;
      www.bitdefender.com; www.f-prot.com; www.trendsecure.com;
      security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com; www.avira.com;
      www.eset.com; www.free.avg.com; www.free-av.com; kr.ahnlab.com;
      www.eset.com; forospyware.com; thejokerx.blogspot.com; cairopt.net;
      oolbar.cyberdefender.com; golpe.dyndns.org; www.2-spyware.com;
      www.antivir.es; www.prevx.com; www.ikarus.net; bbs.s-sos.net;
      www.housecall.trendmicro.com; www.superdicas.com.br;
      www.superantispyware.com; www.unhackme.com; www.askmehelpdesk.com;
      www.forums.majorgeeks.com; www.castlecops.com; www.virusspy.com;
      andymanchesta.com; www.kaspersky.es; subs.geekstogo.com;
      www.forospanish.com; blog.rnsafe.com; www.regrun.com;
      irc.snahosting.net; www.trendmicro.com; www.fortinet.com;
      www.safer-networking.org; www.fortiguardcenter.com; www.dougknox.com;
      www.vsantivirus.com; static.commentcamarche.net;
      www.gyakorikerdesek.hu; www.fixya.com; www.firewallguide.com;
      www.auditmypc.com; www.spywaredb.com; www.mxttchina.com;
      www.ziggamza.net; www.forospyware.es; pogonyuto.forospanish.com;
      spywarefiles.prevx.com; k2r.th3kings.net; www.betterantivirus.com;
      www.antivirus.comodo.com; www.spywareterminator.com;
      www.eradicatespyware.net; www.freespywareremoval.info;
      www.personalfirewall.comodo.com; wakoopa.com; forum.drweb.com;
      bb1.th3kings.net; www.clamav.net; www.antivirus.about.com;
      www.pandasecurity.com; www.webphand.com; mx.answers.yahoo.com;
      www.securitywonks.net; www.messengeradictos.com; www.geekpolice.net;
      bub.th3kings.net; www.sandboxie.com; www.clamwin.com;
      www.cwsandbox.org; www.ca.com; www.arswp.com; es.answers.yahoo.com;
      www.trucoswindows.es; www.ipaddresser.com; www.abgenis.net;
      www.freefixer.com; forums.afterdawn.com; www.networkworld.com;
      www.cddchiangmai.net; www.threatexpert.com; www.norman.com;
      espanol.answers.yahoo.com; www.tallemu.com; foro.portalhacker.net;
      www.groupwhere.org; sniff.runescapetube.com; virscan.org;
      www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; hjt.networktechs.com;
      www.techsupportforum.com; www.whatthetech.com; www.soccersuck.com;
      www.pcentraide.com; comunidad.wilkinsonpc.com.co; forum.hocit.com;
      forum.smadav.net; fgp.e2doo.com; forum.piriform.com;
      www.tweaksforgeeks.com; www.daniweb.com; www.geekstogo.com;
      es.answers.yahoo.com; www.techsupportforum.com;
      dnl-eu8.kaspersky-labs.com; www.oprekpc.com; shv4.ath.cx;
      www.pcworld.com; www.pchell.com; www.spyany.com; forums.techguy.org;
      www.experts-exchange.com; www.wikio.es; www.pandasecurity.com;
      forums.devshed.com; devbuilds.kaspersky-labs.com;
      hana-ahmad.blogspot.com; forum.tweaks.com; www.wilderssecurity.com;
      www.techspot.com; www.thecomputerpitstop.com; es.wasalive.com;
      secunia.com; www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; www.computing.net;
      discussions.virtualdr.com; forum.securitycadets.com; www.techimo.com;
      13iii.com; www.dicasweb.com.br; www.javacoolsoftware.net;
      cofradia.org; wasteland-bg.com; www.windowexe.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.360safe.cn; www.360safe.com; bbs.360safe.cn; bbs.360safe.com;
      codehard.wordpress.com; forum.clubedohardware.com.br; antitrick.com;
      www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; baike.360.cn;
      baike.360.com; kaba.360.cn; kaba.360.com; deckard.geekstogo.com;
      www.taringa.net; forums.comodo.com; www.mvps.org; melcy.wordpress.com;
      forum.softpedia.com; pcvids.wordpress.com; down.360safe.cn;
      down.360safe.com; x.360safe.com; dl.360safe.com; ftp.drweb.com;
      www.hotshare.net; es.wasalive.com; free.antivirus.com;
      forum.hocit.com; destavision-forum.com; inspiresoft.blogspot.com;
      updatem.360safe.com; updatem.360safe.cn; update.360safe.cn;
      update.360safe.com; www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com; bbs.duba.net;
      www.duba.net; zhidao.baidu.com; hi.baidu.com; www.drweb.com.es;
      msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      file.ikaka.com; file.ikaka.cn; bbs.ikaka.com; zhidao.ikaka.com;
      www.eset-la.com; download.eset.com; software-files.download.com;
      www.faravirusi.com; www.winbots.es; forum.chip.de; www.ikaka.com;
      www.ikaka.cn; bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; bbs.kafan.cn;
      bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      alerta-antivirus.inteco.es; foros.zonavirus.com;
      alerta-antivirus.red.es; www.zonavirus.com; www.malwarebytes.org;
      www.commentcamarche.net; news.support.veritas.com; www.zonealarm.com;
      www.ewido.net; www.infospyware.com; www.bitdefender.es;
      housecall.trendmicro.com; foros.toxico-pc.com; www.identi.es;
      es.kioskea.net; virusinfo.info; forums.zonealarm.com; www.emsisoft.de;
      www.securitynewsportal.com; irc.ekizmedia.com; zone.arminboutique.com;
      story.dnsentrymx.com; google.com

Terminarea proceselor Lista cu procesele oprite:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; CMD.EXE; COMMAND.COM;
      NTVDM.EXE; GUARD.EXE; LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM;
      REGEDIT.SCR; FOLDERCURE.EXE; KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE;
      REG.EXE; TASKKILL.EXE; AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE;
      SDFIX.EXE; CATCHME.EXE; GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE

Injectarea codului malware in alte procese – Se injecteaza ca un thread remote intr-un proces.

Numele procesului:
• explorer.exe

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Die Beschreibung wurde erstellt von Petre Galan am Donnerstag, 6. Mai 2010
Die Beschreibung wurde geändert von Petre Galan am Donnerstag, 6. Mai 2010

zurück . . . .

PC Schutz

Gratis-Produkte

Beliebteste Produkte

Alle Produkte

Bundle-Lösungen

Arbeitsplatzrechner

Server

Bundle-Lösungen

Mail Gateways

Web Gateways

Kollaborationsplattformen

Für Privatanwender

Für Unternehmen

Virenlabor

Mehr Support

Avira Partner werden

Für Privatanwender

Für Unternehmen

Sie möchten das Produkt nur testen?

Handbücher und Tools