Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:TR/Spy.Agent.abd
Date discovered:01/03/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:81.920 Bytes
MD5 checksum:1695b91b4a13345b9f97527d2d7ca370
IVDF version:7.01.02.97 - Sunday, March 1, 2009

 General Methods of propagation:
   • Local network
   • Peer to Peer


Aliases:
   •  Bitdefender: Trojan.Generic.4661937
   •  Panda: W32/P2Pworm.OJ
   •  Eset: Win32/AutoRun.IRCBot.FC


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Application Data\jusched.exe
   • %TEMPDIR%\windump.exe



It overwrites a file.
%malware execution directory%\%every *.exe file%

With the following contents:
   • %executed file%





It tries to execute the following file:

– Filename:
   • %HOME%\Application Data\jusched.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched"="%HOME%\Application Data\jusched.exe"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It searches for directories that contain one of the following substrings:
   • my music\imesh\; frostwire\saved\; frostwire\shared\; limewire\saved\;
      my music\bearshare\; shareaza downloads\; winmx\shared\; tesla\files\;
      limewire\shared\; morpheus\my shared folder\; emule\incoming\;
      edonkey2000\incoming\; bearshare\shared\; grokster\my grokster\;
      icq\shared folder\; kazaa lite k++\my shared folder\; kazaa lite\my
      shared folder\; kazaa\my shared folder\

   It searches for the following standard shares:
   • E$
   • D$
   • C$
   • ADMIN$

   If successful, the following files are created:
   • RuneScape 2010 - Newest Exploits.exe; Yamicsoft Windows 7 Manager v1 1
      8 x64.exe; Microsoft Windows Home Server 2010 Build 7360.exe; 3delite
      MP3 Stream Editor v3 4 4 1980 WinALL.exe; Error Repair Professional 4
      1 3 AT4RE DM999.exe; cute dogs screensaver.exe; Babylon 8 - Instant
      translation tool.exe; Recover Keys v3 0 3 7-MAZE.exe; Uniture Memory
      Booster v6 1 0 5158-MESMERiZE.exe; redsn0w-win 0 8.exe; WinRAR-3 91
      Full + Keymaker.exe; Sony Vegas Pro 9.0 Full.exe; LimeWire Pro.exe;
      Adobe Photoshop CS4 Extended + Keygen + Activation.exe; Setup OneCare
      for Windows 7.exe; YouTube Downloader all Access.exe; MS Office 2007
      Activation KeyGen.exe;
      LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe; DiceRoller2 0.exe;
      Adobe Dreamweaver CS4 Keygen.exe; Xilisoft 3GP Video Converter v5 1 26
      1231 Key.exe; Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe;
      Xilisoft AVI MPEG Converter v5 1 26 1030 Keyg.exe; Xilisoft AVI MPEG
      Joiner v1 0 34 1012 Keygen.exe; Xilisoft Blackberry Ringtone Maker v1
      0 12 1204.exe; Xilisoft Blu Ray Ripper v5 2 4 0108 Keygen.exe;
      Xilisoft Burn Pro v1 0 64 0112 Keygen.exe; Xilisoft CD Ripper v1 0 47
      0904 Keygen.exe; Atomix Virtual DJ v6.0.2 FINAL Professional.exe;
      WinZip PRO v12.1 + Serials.exe; Driver Genius Professional 2009 9.0.0
      Build 186.exe; Microsoft Office 2010 Enterprise Corporate Edition.exe;
      Diskeeper 2010 Pro Premier v14 0 900t Final.exe; Dr Web AntiVirus v5 0
      10 11260 R-EAT.exe; Autorun Virus Remover v2 3 1022-Lz0.exe; CleanMyPC
      Registry Cleaner v4 02-TE.exe; Diskeeper 2010 Pro Premier v14 0
      900.exe; Website X5 Designer v7.7 WYSIWYG Website Creator.exe; Windows
      7 Toolkit v1.8 activations+full suite.exe; Microsoft Office
      Professional Plus x32 x64 2010.exe; Adobe Photoshop CS4 KeyGen.exe;
      ScreenCapture; DesktopCalendar.exe; Web Dumper 3.1.1 Keygen.exe; Adobe
      Photoshop CS3 patch.exe; Loaris Trojan Remover 1.2.0 Patch.exe; Trojan
      Killer 2.0.6.4 Patch.exe; WinRAR 3.92 Final.exe; RAR Password Recovery
      Magic v6 1 1 172-BEAN.exe; Borderlands Proper-Razor1911.exe; Microsoft
      AutoCollage 2008.exe; Microsoft Office Accounting Professional
      2009.exe; Miscrosoft Office Ultimate 2007.exe; facebook for
      dummies.exe; kaspersky license key 2010.exe; office 2007
      activation.exe; paypal hack 2010.exe; Garmin mobile xt keygen.exe;
      Windows 2008 Server KeyGen.exe


 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


It uses the following login information in order to gain access to the remote machine:

– The following list of passwords:
   • www; start; testing; abcde; 911; 111; 777; apple; apollo13; 123abc;
      abcd; aaa; 2000; 2004; 2005; 2006; system; hacker; boss; intranet;
      hell; sam; siemens; nokia; mysql; oracle; sexy; sex; qwe; qw; pwd;
      test; user; web; winpass; winnt; win95; win98; win2k; win2000;
      pass1234; pass; linux; loginpass; login; server; home; database; data;
      bitch; winxp; internet; ibm; billy; bob; command; access; 1234567890;
      123456789; 12345678; 1234567; 123456; 12345; 1234; 123; 007; awerty;
      qwerty; default; wwwadmin; computer; owner; root; guest;
      amministratore; administrator; admins; admin; andy; nepenthes;
      currentuser


 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ybtva.vcjubvf.**********.hx
Port: 47221
Channel: #uobg-ohl
Nickname: USA|XP|USER-289AF73617|%number%

 Backdoor Contact server:
The following:
   • 204.60.13**********.18:4444 (TCP)


 Miscellaneous Mutex:
It creates the following Mutex:
   • aNoThErPeZeZeZergqde

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Die Beschreibung wurde erstellt von Petre Galan am Freitag, 17. Dezember 2010
Die Beschreibung wurde geändert von Petre Galan am Freitag, 17. Dezember 2010

zurück . . . .