Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:TR/Agent.172032.6
Date discovered:16/04/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:172.032 Bytes
MD5 checksum:50fcc03125d42d7e1251d006eba8b12a
VDF version:6.38.00.220
IVDF version:6.38.00.224 - Monday, April 16, 2007

 General    • No own spreading routine


Aliases:
   •  Mcafee: W32/Zaflen.a
   •  Kaspersky: Worm.Win32.VB.gr
   •  F-Secure: Worm.Win32.VB.gr
   •  Sophos: W32/Lovelet-AD
   •  Panda: W32/Nedro.C.worm
   •  Eset: Win32/VB.BP
   •  Bitdefender: Win32.Worm.VB.TC


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\lsass.exe
   • %SYSDIR%\mskernel.exe
   • %WINDIR%\setup\mskernel.exe
   • %WINDIR%\services.exe
   • %WINDIR%\gorgle\csrss.exe
   • %ALLUSERSPROFILE%\Desktop\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\New Microsoft Word Document.scr
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\folderwiz.com
   • %HOME%\NetHood\Hot Picture.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\PrintHood\Printing Information.com
   • %HOME%\Recent\New Microsoft Word Document.scr
   • %HOME%\SendTo\Image Editor.com
   • %HOME%\Start Menu\Image Viewer.com
   • %HOME%\My Documents\My Picture.com
   • %HOME%\My Documents\MyPictures\mskernel.exe
   • %HOME%\My Documents\Rated R Pictures.com
   • %WINDIR%\AutoRun.ini
   • C:\CoolWorld.exe
   • %WINDIR%\agila.scr
   • %HOME%\Local Settings\Application Data\Microsoft\CD Burning\CoolWorld.exe



The following file is created:

C:\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     open=CoolWorld.exe
     shell\open=Open
     shell\open\Command=CoolWorld.exe
     shell\open\Default=1
     shell\explore=Explore
     shell\explore\Command=CoolWorld.exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • Shell="explorer.exe "%WINDIR%\services.exe""
   • Userinit="%SYSDIR%\userinit.exe,%WINDIR%\gorgle\csrss.exe,"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • (Default)="%SYSDIR%\mskernel.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • (Default)="\WINDOWS\lsass.exe"
   • WinRun="%WINDIR%\AutoRun.ini"



The following registry keys are added:

[HKCR\Folder\shell\About Us\Command]
[HKLM\Software\Microsoft\Windows\System\Malicious]
   • Sams32="0212"



The following registry keys are changed:

Various Explorer settings:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • Run=dword:00000001
   • NoFolderOptions=dword:00000001
   • NoRun=dword:00000001

Disable Regedit and Task Manager:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableRegistryTools=dword:00000001

[HKCR\avifile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

[HKCR\piffile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

[HKCR\artfile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

[HKCR\datfile\shell\open\command]
   New value:
   • (Default)=""%WINDIR%\setup\mskernel.exe" "

[HKCR\exefile]
   New value:
   • NeverShowExt="

[HKCR\scrfile]
   New value:
   • NeverShowExt="
     (Default)="Microsoft Word Document"

[HKCR\batfile]
   New value:
   • NeverShowExt="

[HKCR\comfile]
   New value:
   • NeverShowExt="
     (Default)="JPEG Image"

[HKCR\comfile\defaulticon]
   New value:
   • (Default)="shimgvw.dll,3"

[HKLM\SOFTWARE\Microsoft\Windows]
   New value:
   • ScanningSystemDrive="False"

[HKCR\batfile\shell\edit\command]
   New value:
   • (Default)=hex(2):73,00,68,00,75,00,74,00,64,00,6f,00,77,00,6e,00,20,00,2d,00,73,00,20,00,2d,00,66,00,20,00,2d,00,74,00,20,00,30,00,00,00

[HKCR\inifile\shell\open\command]
   New value:
   • (Default)=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

 Process termination List of processes that are terminated:
   • avgctrl.exe; kav.exe; avgamsvr.exe; avgserv.exe; avgmsvr.exe;
      avgcc32.exe; avgcc.exe; avginet.exe; avgupsvc.exe; avgemc.exe;
      avgnt.exe; avgregcl.exe; avgserv9.exe; avgw.exe; alogserv.exe;
      avsynmgr.exe; Mpfsheild.exe; MpfAgent.exe; mpf.exe; MpfConsole.exe;
      mcagent.exe; mcappins.exe; McDash.exe; mcdetect.exe; mcinfo.exe;
      mcmnhdlr.exe; mcshield.exe; mctskshd.exe; mcupdate.exe; mcvsescn.exe;
      mcvsshld.exe; avpcc.exe; mcvsftsn.exe; mcvsrte.exe; vstskmgr.exe;
      vsmain.exe; vshwin32.exe; pccpfw.exe; pccclient.exe; pcclient.exe;
      pccguide.exe; pccnt.exe; pccntmon.exe; pccntupd.exe; PcCtlCom.exe;
      pcscan.exe; avpm.exe; kavsvc.exe; AVENGINE.EXE; nisserv.exe;
      NISUM.exe; Navapsvc.exe; NMain.exe; Navapw32.exe; VetMsg.exe;
      VetTray.exe; Vet32.exe; VetNT.exe; vsmon.exe; zlclient.exe; zapro.exe;
      zonealarm.exe; APVXDWIN.EXE; AVLITE.EXE; AVLTMAIN.EXE; AVTASK.EXE;
      LUPGCONF.EXE; PAVSRV51.EXE; PavPrSrv.exe


 File details Programming language:
The malware program was written in Visual Basic.

Die Beschreibung wurde erstellt von Ernest Szocs am Mittwoch, 7. November 2007
Die Beschreibung wurde geändert von Ernest Szocs am Donnerstag, 8. November 2007

zurück . . . .