Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Name:Worm/Emerleox.K.1
Entdeckt am:18/05/2011
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Niedrig bis mittel
Verbreitungspotenzial:Niedrig bis mittel
Schadenspotenzial:Niedrig bis mittel
Statische Datei:Ja
Dateigre:76.411 Bytes
MD5 Prfsumme:51dfe512c014a9113d51b7802b8d0451
VDF Version:7.11.08.60 - Mittwoch, 18. Mai 2011
IVDF Version:7.11.08.60 - Mittwoch, 18. Mai 2011

 Allgemein Verbreitungsmethode:
    Autorun Dateien


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.btp
   •  F-Secure: Worm.Win32.AutoRun.btp
   •  Bitdefender: Worm.Generic.82193
     GData: Worm.Generic.82193
     DrWeb: Win32.HLLW.Autoruner.1608


Betriebsysteme:
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Erstellt schdliche Dateien
   • Setzt Sicherheitseinstellungen herunter
   • nderung an der Registry
   • Macht sich Software Verwundbarkeit zu nutzen
CVE-2007-1204
MS07-019

 Dateien Kopien seiner selbst werden hier erzeugt:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe
   • %Laufwerk%\owlstxm.exe
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe
   • %PROGRAM FILES%\meex.exe



Die anfnglich ausgefhrte Kopie der Malware wird gelscht.



Folgende Dateien werden gelscht:
   • %SYSDIR%\verclsid.exe
   • %PROGRAM FILES%\3.hiv
   • %PROGRAM FILES%\2.hiv
   • %PROGRAM FILES%\4.hiv
   • %PROGRAM FILES%\1.hiv



Es werden folgende Dateien erstellt:

%Laufwerk%\autorun.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%PROGRAM FILES%\Common Files\Microsoft Shared\ngcxjsi.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%PROGRAM FILES%\Common Files\System\ngcxjsi.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%SYSDIR%\verclsids.exe
%PROGRAM FILES%\1.hiv
%PROGRAM FILES%\3.hiv
%PROGRAM FILES%\2.hiv
%PROGRAM FILES%\4.hiv



Es versucht folgende Dateien auszufhren:

Dateiname:
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe


Dateiname:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe


Dateiname:
   • cmd /c echo Y| cacls %PROGRAM FILES%\meex.exe /t /g everyone:F


Dateiname:
   • %SYSDIR%\cmd.exe /S /D /c" echo Y"


Dateiname:
   • cmd /c echo Y| cacls %PROGRAM FILES%\dld.dat /t /g everyone:F

 Registry Die Werte des folgenden Registry keys werden gelscht:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • AVP
   • KVMON
   • ngcxjsi
   • owlstxm



Folgende Registryschlssel werden hinzugefgt:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\irsetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQSC.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFWLiveUpdate.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmqczj.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360Safe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmsk.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVCenter.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adam.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKCU\Software\hvnl]
   • "owlstxm"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QHSET.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMFilter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Trojanwall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\shcfg32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IceSword.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MagicSet.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsstat.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpLive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQKav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxFwHlp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArSwp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FileDsty.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatchX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVScan.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\isPwdSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SysSafe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rsaupd.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMailMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\WoptiClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"=dword:0x00000001

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch9x.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwmain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\runiep.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\safelive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FTCleanerShell.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavStub.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AppSvc32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zjb.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\loaddll.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KISLnchr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SmartUp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvastU3.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UIHost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ghost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRegEx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVStub.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPfwSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwcfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxCfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVSetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\USBCleaner.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "NoDriveTypeAutoRun"=dword:0x00000091

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvReport.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NPFMntor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\symlcsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\webscanx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojanDetector.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvupload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ras.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KaScrScn.SCR]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\upiea.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\iparmo.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FYFireWall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32kui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvDetect.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvfwMcl.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAttachment.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KsLoader.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKCU\Software\edwv]
   • "ngcxjsi"="%PROGRAM FILES%\Common Files\System\qbbtqcy.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRepair.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxPol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SREng.EXE]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AgentSvr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kabaload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwsrv.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"



Folgende Registryschlssel werden gendert:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Neuer Wert:
   • "Type"="checkbox2"

[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Neuer Wert:
   • "Start"=dword:0x00000004

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Neuer Wert:
   • "ShowSuperHidden"=dword:0x00000000

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Neuer Wert:
   • "Start"=dword:0x00000004

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Neuer Wert:
   • "Type"="radio"

 Diverses Greift auf Internetressourcen zu:
   • http://union.is123.com/**********
   • http://www.is123.com/admin/**********


Mutex:
Es werden folgende Mutexe erzeugt:
   • ]TMU%50>IA?4>6?
   • Y*J-ONE
   • Y*J-TWO

 Datei Einzelheiten Programmiersprache:
Das Malware-Programm wurde in Delphi geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Gre der Datei zu reduzieren wurde sie mit einem Laufzeitpacker gepackt.

Die Beschreibung wurde erstellt von Petre Galan am Donnerstag, 16. Juni 2011
Die Beschreibung wurde geändert von Petre Galan am Donnerstag, 16. Juni 2011

zurück . . . .