Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Name:Worm/Emerleox.K.1
Entdeckt am:18/05/2011
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Niedrig bis mittel
Verbreitungspotenzial:Niedrig bis mittel
Schadenspotenzial:Niedrig bis mittel
Statische Datei:Ja
Dateigröße:76.411 Bytes
MD5 Prüfsumme:51dfe512c014a9113d51b7802b8d0451
VDF Version:7.11.08.60 - Mittwoch, 18. Mai 2011
IVDF Version:7.11.08.60 - Mittwoch, 18. Mai 2011

 Allgemein Verbreitungsmethode:
   • Autorun Dateien


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.btp
   •  F-Secure: Worm.Win32.AutoRun.btp
   •  Bitdefender: Worm.Generic.82193
   •  GData: Worm.Generic.82193
   •  DrWeb: Win32.HLLW.Autoruner.1608


Betriebsysteme:
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Erstellt schädliche Dateien
   • Setzt Sicherheitseinstellungen herunter
   • Änderung an der Registry
   • Macht sich Software Verwundbarkeit zu nutzen
      •  CVE-2007-1204
      •  MS07-019

 Dateien Kopien seiner selbst werden hier erzeugt:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe
   • %Laufwerk%\owlstxm.exe
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe
   • %PROGRAM FILES%\meex.exe



Die anfänglich ausgeführte Kopie der Malware wird gelöscht.



Folgende Dateien werden gelöscht:
   • %SYSDIR%\verclsid.exe
   • %PROGRAM FILES%\3.hiv
   • %PROGRAM FILES%\2.hiv
   • %PROGRAM FILES%\4.hiv
   • %PROGRAM FILES%\1.hiv



Es werden folgende Dateien erstellt:

%Laufwerk%\autorun.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%PROGRAM FILES%\Common Files\Microsoft Shared\ngcxjsi.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%PROGRAM FILES%\Common Files\System\ngcxjsi.inf Diese Datei ist eine nicht virulente Textdatei mit folgendem Inhalt:
   • %Programmcode, der Malware startet%

%SYSDIR%\verclsids.exe
%PROGRAM FILES%\1.hiv
%PROGRAM FILES%\3.hiv
%PROGRAM FILES%\2.hiv
%PROGRAM FILES%\4.hiv



Es versucht folgende Dateien auszuführen:

– Dateiname:
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe


– Dateiname:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe


– Dateiname:
   • cmd /c echo Y| cacls %PROGRAM FILES%\meex.exe /t /g everyone:F


– Dateiname:
   • %SYSDIR%\cmd.exe /S /D /c" echo Y"


– Dateiname:
   • cmd /c echo Y| cacls %PROGRAM FILES%\dld.dat /t /g everyone:F

 Registry Die Werte des folgenden Registry keys werden gelöscht:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • AVP
   • KVMON
   • ngcxjsi
   • owlstxm



Folgende Registryschlüssel werden hinzugefügt:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\irsetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQSC.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFWLiveUpdate.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmqczj.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360Safe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmsk.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVCenter.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adam.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKCU\Software\hvnl]
   • "owlstxm"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QHSET.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMFilter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Trojanwall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\shcfg32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IceSword.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MagicSet.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsstat.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpLive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQKav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxFwHlp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArSwp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FileDsty.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatchX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVScan.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\isPwdSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SysSafe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rsaupd.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMailMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\WoptiClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"=dword:0x00000001

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch9x.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwmain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\runiep.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\safelive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FTCleanerShell.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavStub.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AppSvc32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zjb.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\loaddll.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KISLnchr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SmartUp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvastU3.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UIHost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ghost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRegEx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVStub.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPfwSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwcfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxCfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVSetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\USBCleaner.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "NoDriveTypeAutoRun"=dword:0x00000091

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvReport.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NPFMntor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\symlcsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\webscanx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojanDetector.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvupload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ras.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KaScrScn.SCR]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\upiea.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\iparmo.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FYFireWall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32kui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvDetect.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvfwMcl.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAttachment.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KsLoader.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKCU\Software\edwv]
   • "ngcxjsi"="%PROGRAM FILES%\Common Files\System\qbbtqcy.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRepair.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxPol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SREng.EXE]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AgentSvr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kabaload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwsrv.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"



Folgende Registryschlüssel werden geändert:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Neuer Wert:
   • "Type"="checkbox2"

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Neuer Wert:
   • "Start"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Neuer Wert:
   • "ShowSuperHidden"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Neuer Wert:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Neuer Wert:
   • "Type"="radio"

 Diverses Greift auf Internetressourcen zu:
   • http://union.is123.com/**********
   • http://www.is123.com/admin/**********


Mutex:
Es werden folgende Mutexe erzeugt:
   • ]TMU%50>IA?4>6?
   • Y*J-ONE
   • Y*J-TWO

 Datei Einzelheiten Programmiersprache:
Das Malware-Programm wurde in Delphi geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Größe der Datei zu reduzieren wurde sie mit einem Laufzeitpacker gepackt.

Die Beschreibung wurde erstellt von Petre Galan am Donnerstag, 16. Juni 2011
Die Beschreibung wurde geändert von Petre Galan am Donnerstag, 16. Juni 2011

zurück . . . .