Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Name:Worm/Autorun.hde
Entdeckt am:23/04/2010
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Niedrig bis mittel
Verbreitungspotenzial:Mittel
Schadenspotenzial:Mittel
Statische Datei:Ja
Dateigröße:208.896 Bytes
MD5 Prüfsumme:5224bc60f8a486d895ff584d647897e7
IVDF Version:7.10.06.196 - Freitag, 23. April 2010

 General Verbreitungsmethoden:
   • Autorun Dateien
   • Lokales Netzwerk
   • Messenger


Aliases:
   •  Sophos: W32/Autorun-BDA
   •  Panda: W32/Autorun.JXD
   •  Bitdefender: Backdoor.Tofsee.CF


Betriebsysteme:
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Lädt schädliche Dateien herunter
   • Erstellt schädliche Dateien
   • Setzt Sicherheitseinstellungen herunter
   • Änderung an der Registry
   • Ermöglicht unbefugten Zugriff auf den Computer

 Dateien Kopien seiner selbst werden hier erzeugt:
   • %SYSDIR%\winupd01.exe
   • %Laufwerk%\scan.com



Eine Datei wird überschreiben.
%SYSDIR%\drivers\etc\hosts



Es wird folgende Datei erstellt:

%Laufwerk%\autorun.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%




Es wird versucht die folgenden Dateien herunterzuladen:

– Die URL ist folgende:
   • http://upd.everapo.ru/**********


– Die URL ist folgende:
   • http://prs.everapo.ru/**********




Es versucht folgende Dateien auszuführen:

– Dateiname:
   • ipconfig /flushdns


– Dateiname:
   • sc delete acssrv


– Dateiname:
   • net stop SAVService


– Dateiname:
   • sc stop SAVService


– Dateiname:
   • net1 stop SAVService


– Dateiname:
   • sc config SavService start= disabled


– Dateiname:
   • sc delete SAVService


– Dateiname:
   • net stop SAVAdminService


– Dateiname:
   • sc stop SAVAdminService


– Dateiname:
   • sc config SAVAdminService start= disabled


– Dateiname:
   • net1 stop SAVAdminService


– Dateiname:
   • sc delete K7TSMngr


– Dateiname:
   • sc delete SAVAdminService


– Dateiname:
   • net stop "Sophos AutoUpdate Service"


– Dateiname:
   • sc stop "Sophos AutoUpdate Service"


– Dateiname:
   • sc config "Sophos AutoUpdate Service" start= disabled


– Dateiname:
   • net1 stop "Sophos AutoUpdate Service"


– Dateiname:
   • sc delete "Sophos AutoUpdate Service"


– Dateiname:
   • net stop "Sophos Client Firewall"


– Dateiname:
   • sc stop "Sophos Client Firewall"


– Dateiname:
   • net1 stop "Sophos Client Firewall"


– Dateiname:
   • sc config "Sophos Client Firewall" start= disabled


– Dateiname:
   • net stop "avast! Antivirus"


– Dateiname:
   • sc delete "Sophos Client Firewall"


– Dateiname:
   • net stop "Sophos Client Firewall Manager"


– Dateiname:
   • sc stop "Sophos Client Firewall Manager"


– Dateiname:
   • net1 stop "Sophos Client Firewall Manager"


– Dateiname:
   • sc config "Sophos Client Firewall Manager" start= disabled


– Dateiname:
   • sc delete "Sophos Client Firewall Manager"


– Dateiname:
   • sc stop "avast! Antivirus"


– Dateiname:
   • sc config "avast! Antivirus" start= disabled


– Dateiname:
   • net1 stop "avast! Antivirus"


– Dateiname:
   • sc delete "avast! Antivirus"


– Dateiname:
   • net stop AntiVirService


– Dateiname:
   • sc stop AntiVirService


– Dateiname:
   • net1 stop AntiVirService


– Dateiname:
   • sc config AntiVirService start= disabled


– Dateiname:
   • sc stop K7RTScan


– Dateiname:
   • sc delete AntiVirService


– Dateiname:
   • net stop PASRV


– Dateiname:
   • sc stop PASRV


– Dateiname:
   • sc config PASRV start= disabled


– Dateiname:
   • net1 stop PASRV


– Dateiname:
   • sc delete PASRV


– Dateiname:
   • net stop VSSERV


– Dateiname:
   • sc stop VSSERV


– Dateiname:
   • sc config VSSERV start= disabled


– Dateiname:
   • net1 stop VSSERV


– Dateiname:
   • net stop K7RTScan


– Dateiname:
   • sc delete VSSERV


– Dateiname:
   • net stop avg8wd


– Dateiname:
   • sc stop avg8wd


– Dateiname:
   • net1 stop avg8wd


– Dateiname:
   • sc config avg8wd start= disabled


– Dateiname:
   • sc delete avg8wd


– Dateiname:
   • net stop avg9wd


– Dateiname:
   • sc stop avg9wd


– Dateiname:
   • sc config avg9wd start= disabled


– Dateiname:
   • net1 stop avg9wd


– Dateiname:
   • sc config K7RTScan start= disabled


– Dateiname:
   • sc delete avg9wd


– Dateiname:
   • net stop NOD32krn


– Dateiname:
   • sc stop NOD32krn


– Dateiname:
   • net1 stop NOD32krn


– Dateiname:
   • sc config NOD32krn start= disabled


– Dateiname:
   • sc delete NOD32krn


– Dateiname:
   • net stop ekrn


– Dateiname:
   • sc stop ekrn


– Dateiname:
   • net1 stop ekrn


– Dateiname:
   • sc config ekrn start= disabled


– Dateiname:
   • sc delete K7RTScan


– Dateiname:
   • sc delete ekrn


– Dateiname:
   • net stop McShield


– Dateiname:
   • sc stop McShield


– Dateiname:
   • sc config McShield start= disabled


– Dateiname:
   • net1 stop McShield


– Dateiname:
   • sc delete McShield


– Dateiname:
   • net stop OutpostFirewall


– Dateiname:
   • sc stop OutpostFirewall


– Dateiname:
   • sc config OutpostFirewall start= disabled


– Dateiname:
   • net1 stop OutpostFirewall


– Dateiname:
   • net1 stop K7RTScan


– Dateiname:
   • sc delete OutpostFirewall


– Dateiname:
   • net stop TmPfw


– Dateiname:
   • sc stop TmPfw


– Dateiname:
   • net1 stop TmPfw


– Dateiname:
   • sc config TmPfw start= disabled


– Dateiname:
   • sc delete TmPfw


– Dateiname:
   • net stop KPF4


– Dateiname:
   • sc stop KPF4


– Dateiname:
   • net1 stop KPF4


– Dateiname:
   • sc config KPF4 start= disabled


– Dateiname:
   • net stop K7TSMngr


– Dateiname:
   • sc delete KPF4


– Dateiname:
   • net stop SmcService


– Dateiname:
   • sc stop SmcService


– Dateiname:
   • net1 stop SmcService


– Dateiname:
   • sc config SmcService start= disabled


– Dateiname:
   • sc delete SmcService


– Dateiname:
   • net stop cmdAgent


– Dateiname:
   • sc stop cmdAgent


– Dateiname:
   • net1 stop cmdAgent


– Dateiname:
   • sc config cmdAgent start= disabled


– Dateiname:
   • sc stop K7TSMngr


– Dateiname:
   • sc delete cmdAgent


– Dateiname:
   • net stop vsmon


– Dateiname:
   • sc stop vsmon


– Dateiname:
   • sc config vsmon start= disabled


– Dateiname:
   • net1 stop vsmon


– Dateiname:
   • sc delete vsmon


– Dateiname:
   • net stop SbPF.Launcher


– Dateiname:
   • sc stop SbPF.Launcher


– Dateiname:
   • net1 stop SbPF.Launcher


– Dateiname:
   • sc config SbPF.Launcher start= disabled


– Dateiname:
   • sc config K7TSMngr start= disabled


– Dateiname:
   • sc delete SbPF.Launcher


– Dateiname:
   • net stop SPF4


– Dateiname:
   • sc stop SPF4


– Dateiname:
   • sc config SPF4 start= disabled


– Dateiname:
   • net1 stop SPF4


– Dateiname:
   • sc delete SPF4


– Dateiname:
   • net stop acssrv


– Dateiname:
   • sc stop acssrv


– Dateiname:
   • sc config acssrv start= disabled


– Dateiname:
   • net1 stop acssrv


– Dateiname:
   • net1 stop K7TSMngr

 Registry Der folgende Registryschlüssel wird hinzugefügt um den Prozess nach einem Neustart des Systems erneut zu starten.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



Alle Werte der folgenden Registryschlüssel und alle Subkeys werden gelöscht:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]



Um die Windows XP Firewall zu umgehen werden folgende Einträge erstellt:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\winupd01.exe"="%SYSDIR%\winupd01.exe:*:Enabled:DHCP Router"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\winupd01.exe"="%SYSDIR%\winupd01.exe:*:Enabled:DHCP Router"



Folgende Registryschlüssel werden hinzugefügt:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="winupd01.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\winupd01.exe"="DisableNXShowUI"



Folgende Registryschlüssel werden geändert:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Neuer Wert:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Neuer Wert:
   • "CheckedValue"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Neuer Wert:
   • "Hidden"=dword:0x00000002

 Messenger Es verbreitet sich über Messenger. Die Charakteristiken sind folgende:

– MSN Messenger
– Yahoo Messenger

Die URL verweißt auf eine Kopie der beschriebenen Malware. Läd der Benutzer die Datei auf seinen Computer und startet diese, so wiederholt sich der Infektionsprozess.

 Infektion über das Netzwerk Um die weitere Verbreitung sicherzustellen versucht sich die Malware mit anderen Computern zu verbinden. Die Einzelheiten hierzu sind im Folgenden beschrieben.


Exploit:
Folgende Sicherheitslücken werden ausgenutzt:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP Adressen Erzeugung:
Es werden zufällige IP Adressen generiert wobei die ersten beiden Zahlen die der eigenen Addresse sind. Es wird dann versuche eine Verbindung mit diesen Adressen aufzubauen.

 IRC Um Systeminformationen zu übermitteln und Fernsteuerung sicherzustellen wird eine Verbindung mit folgendem IRC Server hergestellt:

Server: husn.kad**********.ru
Port: 7575
Channel: #hurt#
Nickname: N|USA|H1|0|XP|%Nummer%

 Hosts Die hosts Datei wird wie folgt geändert:

– In diesem Fall werden die bestehenden Einträge gelöscht.

– Zugriffe auf folgende Domains werden auf andere Ziele umgeleitet:
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; www.nabble.com; lurker.clamav.net;
      lexikon.ikarus.at; research.sunbelt-software.com; www.virusdoctor.jp;
      www.elitepvpers.de; guru.avg.com; downloads.sophos.com;
      share.skype.com; myantispyware.com; www.computerhilfen.de;
      www.superuser.co.kr; ntfaq.co.kr; v.dreamwiz.com; cit.kookmin.ac.kr;
      forums.whatthetech.com; forum.hijackthis.de; avg.vo.llnwd.net;
      ftp.drweb.com; www.zonealarm.com; smadaver.com; support.emsisoft.com;
      psychoski.blogspot.com; www.huaifai.go.th; www.mostz.com;
      www.krupunmai.com; www.cddchiangmai.net; forum.malekal.com;
      tech.pantip.com; sapcupgrades.com; www.elguruinformatico.com;
      forums.avg.com; zastita.com; support.kaspersky.com;
      foro.msgpluslive.es; www.247fixes.com; forum.sysinternals.com;
      forum.telecharger.01net.com; sophos.com; foros.softonic.com;
      avast-home.uptodown.com; dr-web-cureit.softonic.com; heavenward.ru;
      forum.smadav.net; www.forum.kaspersky.com; www.dl4all.com;
      www.f-secure.com; www.chkrootkit.org; diamondcs.com.au;
      www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; sf.tapuz.co.il;
      www.castlecrops.com; www.misec.net; safecomputing.umn.edu;
      www.antirootkit.com; www.greatis.com; ar.answers.yahoo.com;
      www.elhacker.org; research.pandasecurity.com; www.tpu.ro;
      www.pinoyden.com; forum.avira.de; www.tanya-it.com; www.rootkit.com;
      www.pctools.com; www.pcsupportadvisor.com; www.resplendence.com;
      www.personal.psu.edu; foro.ethek.com; foro.elhacker.net;
      download.zonealarm.com; spywarehammer.com; www.codelain.com;
      www.thaicert.org; vil.nail.com; search.mcafee.com; wwww.mcafee.com;
      download.nai.com; wwww.experts-exchange.com; www.bakunos.com;
      www.darkclockers.com; www2.gmer.net; ariefew.com; www.emsisoft.com;
      forum.romeonet.ro; www.arenajunkies.com; www.Merijn.org;
      www.spywareinfo.com; www.spybot.info; www.viruslist.com;
      www.hijackthis.de; ftp.f-secure.com; forum.kaspersky.com;
      es.trendmicro-europe.com; www.hvaonline.net; forum.lowyat.net;
      kb.eset.com; www.pcwelt.de; majorgeeks.com; www.avp.com;
      www.virustotal.com; www.sophos.com; linhadefensiva.uol.com.br;
      cmmings.cn; www.sergiwa.com; www.el-hacker.com; dl2.agnitum.com;
      forum.smadav.net; images.malwareremoval.com; front.prevx.com;
      www.avg-antivirus.net; www.kaspersky-labs.com; www.kaspersky.com;
      www.bleepingcomputer.com; www.free.grisoft.com;
      alerta-antivirus.inteco.es; greatis.com; www.oprekpc.com;
      www.gmer.net; forum.kasperskyclub.com; computadoras.migold.com;
      securityresponse.symantec.com; www.analysis.seclab.tuwien.ac.at;
      www.symantec.com; www.kztechs.com; ad-aware-se.uptodown.com;
      stdio-labs.blogspot.com; forum.lrytas.lt; www.decido.de;
      wap.elakiri.com; ot-indo.blogspot.com;
      liveupdate.symantecliveupdate.com; liveupdate.symantec.com;
      customer.symantec.com; update.symantec.com; www.box.net;
      foro.el-hacker.com; acs.pandasoftware.com; egavisa.blogspot.com;
      angui123.cn; beta.eset.com; www.ixtorrent.com; www.mcafee.com;
      download.mcafee.com; mast.mcafee.com; www.tecno-soft.com;
      ladooscuro.es; ftp.drweb.com; download.microsoft.com;
      www.mypcsafe.com; www.blindedbytech.com; kaspersky.com;
      sis-admin.blogspot.com; www.protecus.de; guru0.grisoft.cz;
      guru1.grisoft.cz; guru2.grisoft.cz; guru3.grisoft.cz;
      download.bleepingcomputer.com; it.answers.yahoo.com; www.softonic.com;
      www.mycity.rs; cairopt.net; rootrepeal.googlepages.com;
      www.windowexe.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; thaicert.nectec.or.th;
      hjt-data.trend-braintree.com; www.pantip.com; secubox.aldria.com;
      www.forospyware.com; www.manuelruvalcaba.com; www.zonavirus.com;
      www.leforo.com; www.gsmph.com; blokvesti.net; www.viprasys.org;
      forum.antivir-pe.de; www.siteadvisor.com; blog.threatfire.com;
      www.threatexpert.com; blog.hispasec.com; www.configurarequipos.com;
      sosvirus.changelog.fr; www.psicofxp.com; www.gsmph.net;
      www.gyakorikerdesek.hu; us.mcafee.com; www.malekal.com;
      mailcenter.rising.com.cn; mailcenter.rising.com; www.rising.com.cn;
      www.rising.com; www.babooforum.com.br; www.runscanner.net;
      www.blogschapines.com; www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      forum.telecharger.01net.com; sosvirus.changelog.fr;
      upload.changelog.fr; www.raymond.cc; changelog.fr; www.pcentraide.com;
      atazita.blogspot.com; www.thinkpad.cn; www.sunbeltsoftware.com;
      cert.inteco.es; www.gamexeon.com; nod32-antivirus.en.softonic.co;
      www.final4ever.com; files.filefont.com; www.infos-du-net.com;
      www.trendsecure.com; forum.hardware.fr; www.utilidades-utiles.com;
      blogs.icerocket.com; www.spywarefri.dk; alfrasha.maktoob.com;
      www.eset.eu; quickscan.bitdefender.com; www.spychecker.com;
      www.geekstogo.com; forums.maddoktor2.com; www.smokey-services.eu;
      www.clubic.com; www.linhadefensiva.org; www.rolandovera.com;
      forum.burek.com; secure.sophos.com; usa.kaspersky.com;
      board.softpedia.com; download.sysinternals.com; www.pcguide.com;
      www.thetechguide.com; www.ozzu.com; www.changedetection.com;
      espanol.groups.yahoo.com; www.sunbeltsecurity.com;
      www.quickheal.co.in; www.vivalared.com; thailand.itmylike.com;
      community.thaiware.com; www.avpclub.ddns.info;
      www.offensivecomputing.net; www.grisoft.com; boardreader.com;
      www.guiadohardware.net; www.webroot.com; www.thehelper.net;
      www.kaldata.com; vil.nai.com; www.malwarecrypt.com;
      www.msnvirusremoval.com; www.cisrt.org; fixmyim.com; samroeng.hi5.com;
      foro.elhacker.net; www.daboweb.com; service1.symantec.com;
      us3.download.comodo.com; forum.gsmhosting.com; www.computerforum.com;
      forum.avast.com; forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; forums.eternion-wow.com;
      downloads.andymanchesta.com; andymanchesta.com; info.prevx.com;
      aknow.prevx.com; www.zonavirus.com; securitywonks.net;
      www.yoreparo.com; www.spywarecease.com; forum.dobreprogramy.pl;
      community.mcafee.com; board.protecus.de; www.lavasoft.com;
      www.virscan.org; www.eeload.com; down.www.kingsoft.com; www.file.net;
      onecare.live.com; mvps.org; www.laneros.com; www.pc1news.com;
      forum.avira.com; downloads.novirusthanks.org; www.pinoyhackers.com;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.thaivisa.com;
      www.futurenow.bitdefender.com; www.bitdefender.com; www.f-prot.com;
      www.trendsecure.com; security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com;
      www.looktr.com; www.zone-it.com; www.avira.com; www.eset.com;
      free.avg.com; www.free-av.com; kr.ahnlab.com; www.eset.com;
      forospyware.com; thejokerx.blogspot.com; cairopt.net;
      oolbar.cyberdefender.com; golpe.dyndns.org; forum.aiutamici.com;
      solit.us; www.2-spyware.com; www.antivir.es; www.prevx.com;
      www.ikarus.net; bbs.s-sos.net; www.housecall.trendmicro.com;
      www.superdicas.com.br; www.superantispyware.com; www.unhackme.com;
      www.askmehelpdesk.com; forum.zebulon.fr; www.forums.majorgeeks.com;
      www.castlecops.com; www.virusspy.com; andymanchesta.com;
      www.kaspersky.es; subs.geekstogo.com; www.forospanish.com;
      blog.rnsafe.com; www.regrun.com; irc.snahosting.net; danielorza.net;
      www.pchelpforum.com; www.trendmicro.com; www.fortinet.com;
      www.safer-networking.org; www.fortiguardcenter.com; www.dougknox.com;
      www.vsantivirus.com; static.commentcamarche.net;
      www.gyakorikerdesek.hu; www.fixya.com; www.alabamawomen.org;
      www.firewallguide.com; www.auditmypc.com; www.spywaredb.com;
      www.mxttchina.com; www.ziggamza.net; www.forospyware.es;
      pogonyuto.forospanish.com; spywarefiles.prevx.com; k2r.th3kings.net;
      www.betterantivirus.com; www.365groups.com; www.antivirus.comodo.com;
      www.spywareterminator.com; www.eradicatespyware.net;
      www.freespywareremoval.info; www.personalfirewall.comodo.com;
      wakoopa.com; forum.drweb.com; bb1.th3kings.net;
      www.commentcamarche.net; www.clamav.net; www.antivirus.about.com;
      www.pandasecurity.com; www.webphand.com; mx.answers.yahoo.com;
      www.securitywonks.net; www.messengeradictos.com; www.geekpolice.net;
      bub.th3kings.net; shield.prevx.com; www.eudict.com; www.sandboxie.com;
      www.clamwin.com; www.cwsandbox.org; www.ca.com; www.arswp.com;
      es.answers.yahoo.com; www.trucoswindows.es; www.ipaddresser.com;
      www.abgenis.net; www.freefixer.com; forums.afterdawn.com;
      forum.torrents.ro; www.networkworld.com; www.cddchiangmai.net;
      www.threatexpert.com; www.norman.com; espanol.answers.yahoo.com;
      www.tallemu.com; foro.portalhacker.net; www.groupwhere.org;
      sniff.runescapetube.com; forum.p30world.com; virscan.org;
      www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; hjt.networktechs.com;
      www.techsupportforum.com; www.whatthetech.com; www.soccersuck.com;
      www.pcentraide.com; comunidad.wilkinsonpc.com.co; forum.hocit.com;
      forum.smadav.net; fgp.e2doo.com; community.thaiware.com;
      irc.evoporn.com; forum.piriform.com; www.tweaksforgeeks.com;
      www.daniweb.com; www.geekstogo.com; es.answers.yahoo.com;
      www.techsupportforum.com; dnl-eu8.kaspersky-labs.com; www.oprekpc.com;
      shv4.ath.cx; www.pcworld.com; in.answers.yahoo.com; www.pchell.com;
      www.spyany.com; forums.techguy.org; www.experts-exchange.com;
      www.wikio.es; www.pandasecurity.com; forums.devshed.com;
      devbuilds.kaspersky-labs.com; hana-ahmad.blogspot.com;
      www.linkmania.ro; www.trojaner-board.de; forum.tweaks.com;
      www.wilderssecurity.com; www.techspot.com; www.thecomputerpitstop.com;
      es.wasalive.com; secunia.com; www.killtrojan.net; www.ulop.net;
      www.eliters.com; sip4.voipkosovasite.com; www.ftw.ro;
      anggiawan.web.id; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; community.norton.com;
      www.computing.net; discussions.virtualdr.com;
      forum.securitycadets.com; www.techimo.com; 13iii.com;
      www.dicasweb.com.br; www.javacoolsoftware.net; cofradia.org;
      wasteland-bg.com; www.windowexe.com; malekal.com; www.carigold.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.worton.com; www.360safe.cn; www.360safe.com; bbs.360safe.cn;
      bbs.360safe.com; codehard.wordpress.com; forum.clubedohardware.com.br;
      antitrick.com; www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; gotoknow.org;
      www.forofantasiasmiguel.com; baike.360.cn; baike.360.com; kaba.360.cn;
      kaba.360.com; deckard.geekstogo.com; www.taringa.net;
      forums.comodo.com; www.mvps.org; melcy.wordpress.com;
      forum.softpedia.com; pcvids.wordpress.com; shop.symantecstore.com;
      down.360safe.cn; down.360safe.com; x.360safe.com; dl.360safe.com;
      ftp.drweb.com; www.hotshare.net; es.wasalive.com; free.antivirus.com;
      forum.hocit.com; destavision-forum.com; inspiresoft.blogspot.com;
      universomanualidades.foroactivo.com; updatem.360safe.com;
      updatem.360safe.cn; update.360safe.cn; update.360safe.com;
      www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com;
      foros.abcdatos.com; www.elektroda.pl; bbs.duba.net; www.duba.net;
      zhidao.baidu.com; hi.baidu.com; www.drweb.com.es;
      msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      store.norton.com; file.ikaka.com; file.ikaka.cn; bbs.ikaka.com;
      zhidao.ikaka.com; www.eset-la.com; download.eset.com;
      software-files.download.com; www.faravirusi.com; www.winbots.es;
      forum.chip.de; www.thailandsusu.com; debates.motos.net; www.ikaka.com;
      www.ikaka.cn; bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; forum.swzone.it;
      bbs.kafan.cn; bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      mx.answers.yahoo.com; darkzone.in.th; alerta-antivirus.inteco.es;
      foros.zonavirus.com; alerta-antivirus.red.es; www.zonavirus.com;
      www.malwarebytes.org; www.commentcamarche.net;
      news.support.veritas.com; www.zonealarm.com;
      malwarebytes-anti-malware.softonic.com; www.ewido.net;
      www.infospyware.com; www.bitdefender.es; housecall.trendmicro.com;
      foros.toxico-pc.com; www.identi.es; es.kioskea.net; virusinfo.info;
      forums.zonealarm.com; foro.infiernohacker.com;
      nitroamd.spaces.live.com; www.emsisoft.de; www.securitynewsportal.com;
      irc.ekizmedia.com; zone.arminboutique.com; story.dnsentrymx.com


 Prozess Beendigung Liste der Prozesse die beendet werden:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; NTVDM.EXE; GUARD.EXE;
      LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM; REGEDIT.SCR; FOLDERCURE.EXE;
      KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE; REG.EXE; TASKKILL.EXE;
      AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE; SDFIX.EXE; CATCHME.EXE;
      GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE


 Datei Einzelheiten Programmiersprache:
Das Malware-Programm wurde in Visual Basic geschrieben.

Die Beschreibung wurde erstellt von Petre Galan am Montag, 5. Juli 2010
Die Beschreibung wurde geändert von Petre Galan am Montag, 5. Juli 2010

zurück . . . .