Nume:TR/BHO.D.4
Descoperit pe data de:21/09/2006
Tip:Troian
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:65.536 Bytes
MD5:9b1006feb6938a6924af7f2c6fcbee1d
Versiune VDF:6.36.00.45
Versiune IVDF:6.36.00.56 - Monday, September 25, 2006

 General Alias:
   •  Symantec: Trojan.Nethell
   •  Mcafee: Nethell
   •  Kaspersky: Trojan.Win32.BHO.d
   •  Sophos: Troj/Nethell-E
   •  VirusBuster: trojan Trojan.BHO.AJ
   •  Bitdefender: Trojan.Nethell.E


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Efecte secundare:
   • Blocheaza accesul la anumite website-uri
   • Creeaza un fisier
   • Modificari in registri
   • Sustrage informatii

 Fisiere Este creat fisierul:

– Fisier inofensiv:
   • %SYSDIR%\acss.txt

 Registrii sistemului Urmatoarele chei sunt adaugate in registrii sistemului:

– HKCR\NetHelper.Hook.1
   • "(Default)"="Hook Class"

– HKCR\NetHelper.Hook.1\CLSID
   • "(Default)"="{1593C741-C011-46FE-99FC-3805C28328BA}"

– HKCR\NetHelper.Hook
   • "(Default)"="Hook Class"

– HKCR\NetHelper.Hook\CLSID
   • "(Default)"="{1593C741-C011-46FE-99FC-3805C28328BA}"

– HKCR\NetHelper.Hook\CurVer
   • "(Default)"="NetHelper.Hook.1"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}
   • "(Default)"="Hook Class"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\InprocServer32
   • "(Default)"="%fisier executat%"
   • "ThreadingModel"="Apartment"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\ProgID
   • "(Default)"="NetHelper.Hook.1"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\TypeLib
   • "(Default)"="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\
   VersionIndependentProgID
   • "(Default)"="NetHelper.Hook"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0
   • "(Default)"="NetHelper 1.0 Type Library"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\0\win32
   • "(Default)"="%fisier executat%"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\FLAGS
   • "(Default)"="0"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\HELPDIR
   • "(Default)"="%directorul curent%"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}
   • "(Default)"="IHook"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid32
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\TypeLib
   • "(Default)"="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"
   • "Version"="1.0"

– HKCU\Software\Nethelper
   • "LastTime"=%valori hex%

 Furt de informatii Incearca sa obtina urmatoarele informatii:
– Informatii despre contul de email, obtinute din cheia de registru: HKCU\SoftwareMicrosoft\Internet Account Manager\Accounts

– Face captura la:
    • Traficul Internet

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Bogdan Iliuta on Wednesday, September 27, 2006
Description updated by Andrei Ivanes on Friday, October 20, 2006

Back . . . .