Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Virus:TR/PSW.Zbot.258048.270
Date discovered:14/01/2013
Type:Trojan
Subtype:PSW
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:255344 Bytes
MD5 checksum:fa3bc1fd5c27206c47492c6ca5fcfaf4
VDF version:7.11.57.60 - Monday, January 14, 2013
IVDF version:7.11.57.60 - Monday, January 14, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Bitdefender: Gen:Variant.Graftor.64261
   •  Eset: Win32/Kryptik.ARZP
   •  DrWeb: Trojan.PWS.Panda.2401


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %Appdata%\%six-digit random character string%\%five-digit random character string%.exe



It deletes the initially executed copy of itself.



The following files are created:

– %Appdata%\%five-digit random character string%\%five-digit random character string%.%three-digit random character string%
%TEMPDIR%\tmp%eight-digit random character string%.bat Furthermore it gets executed after it was fully created.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\Currentversion\Run]
   • "Adabcovofo"="%Appdata%\\%six-digit random character string% \\%5 random character string%.exe\"



The following registry key is added:

– [HKCU\Software\Microsoft\Avgu]


The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Old value:
   • "1609"=dword:00000001
   • "1406"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "1406"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

 Injection     Process name:
   • Explorer.exe


 Miscellaneous Trusted file pretending:
Its process pretends to be the following trusted process: NTSD.Exe
Please note that the malware even fakes the icon. As a result it appears to be the above mentioned process.

Die Beschreibung wurde erstellt von Wensin Lee am Mittwoch, 16. Januar 2013
Die Beschreibung wurde geändert von Wensin Lee am Mittwoch, 16. Januar 2013

zurück . . . .