Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Date discovered:03/05/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:5507d7602b6afb61dbd8787e9a16e80c
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Sophos: Mal/VBInject-T
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8011

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %TEMPDIR%\lssas.exe
   • %drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\365345.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%


It tries to executes the following files:

– Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\lssas.exe WindowsSafety ENABLE

– Filename:
   • taskkill /IM winlog.exe

– Filename:
   • taskkill /IM svchost.exe

– Filename:
   • taskkill /IM csrss.exe

– Filename:
   • taskkill /IM lsass.exe

– Filename:
   • "%TEMPDIR%\lssas.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "MicrosoftCorp"="%TEMPDIR%\lssas.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%TEMPDIR%\lssas.exe"="%TEMPDIR%\lssas.exe:*:Enabled:Windows Defense"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: stores.del**********.net
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

Server: bb.ceg**********.org
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

 File details Programming language:
The malware program was written in Visual Basic.

Die Beschreibung wurde erstellt von Petre Galan am Donnerstag, 24. Juni 2010
Die Beschreibung wurde geändert von Petre Galan am Donnerstag, 24. Juni 2010

zurück . . . .