Nume:DR/Agent.24576.D
Descoperit pe data de:14/07/2009
Tip:Dropper
ITW:Da
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut
Fisier static:Da
Marime:160.768 Bytes
MD5:816852a7b5f831e6f2c517e4adab4c8b
Versiune VDF:7.01.04.229

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Trojan.Win32.FraudPack.pnd
   •  Eset: Win32/Agent.PTU


Sisteme de operare:
   • Windows 2000
   • Windows XP

 Fisiere Este creat fisierul:

– %WINDIR%\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite. Detectat ca: DR/Agent.24576.D

 Registrii sistemului Una din urmatoarele valori este adaugata in registri pentru pornirea automata a procesului dupa reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Cognac"="%executedir%\%filename%"



Se adauga in registrii sistemului:

– [HKCU\Software\Cognac]
   • "s00000002"="xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFFlHTwF6UUl4+Okpef3si9NAD"
   • "s00000000"="tSLPLpWL7R22spR48AI743bz2Kge8sEVwV+urCGnghdg18Eo9NMs8sbCQvO2E1u+0quRUXD4ug6/bjAxfhYCb0UfzdlfROGiR3tfoylOcLHAH7yCiaBvnRZU43lFwg68rbA4VH7otTRUnUsktecNSQn93wDFIJBfAX62KOJrH23WF92s8q2F8M80+JJig46X"
   • "s00000001"="tSbFNJuL/h22spR48AI743bz2Kge8sEVwV+urCH4hQZ8wYY/9Mx6vsrfS7m2BQah1q7ZF2rk+EDaFAUifhYCbyBhsJUQGaLyTGBKui0aPLfAWqyJkrkwxVYJ925YxUWvsalrFSb3uGQ48Cdq7vYOGk77zgOQY8pPDX2obvttCiPXAcCt48LgvoQy5Y8qmoHZVCchY7PquLAM5rjqerKPIIOxpOYv0J3hxhQu1IIs1QfpR9uRcSSKnL0r1Tn+CHuGMGlMcnSb21WbJh41qJTeBa7Cg5sIbXgnyb1RJAxt+XV3hlpm5lLLv2UJvMh3yCDY4DF6+0AmNex2rlpZ7c0Fn3WM9K46VTgGGadaGh1hUMgr"
   • "d00000004"=dword:00015180
   • "d00000005"=dword:00000002
   • "d00000002"=dword:01ca048e
   • "d00000003"=dword:30c2cb60
   • "d00000006"=dword:00000001
   • "d00000000"=dword:01ca03c7
   • "d00000001"=dword:2053ab90

 Backdoor Servere contactate:
Urmatoarele:
   • http://imagesrepository.com/**************
   • http://delphiner.com/***********

Aceasta se face prin metoda HTTP POST, folosind un script PHP.

Description inserted by Mihai Dilimot on Friday, July 17, 2009
Description updated by Mihai Dilimot on Friday, July 17, 2009

Back . . . .