Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:TR/Dldr.Agent.dadr
Descoperit pe data de:27/01/2010
Tip:Troian
Subtip:Downloader
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:143.360 Bytes
MD5:c715907b7cf47fbcec0d703f1eaaf57d
Versiune IVDF:7.10.03.109 - miercuri, 27 ianuarie 2010

 General Metode de raspandire:
   • Functia autorun
   • Reteaua locala
   • Messenger


Alias:
   •  Mcafee: W32/Spybot.worm
   •  Sophos: Troj/DwnLdr-IAF
   •  Panda: Bck/IRCBot.CUM
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Trojan.Generic.3005912


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Blocheaza accesul la anumite website-uri
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Descarca un fisier malware
   • Creeaza fisiere malware
   • Reduce setarile de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

 Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\stacsv.exe
   • %unitate disc%\tmpdata.exe



Sterge copia initiala a virusului.



Sterge urmatorul fisier:
   • %SYSDIR%\drivers\etc\hosts



Este creat fisierul:

– %unitate disc%\autorun.inf Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • %cod care ruleaza fisierul malitios%




Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://all.messenger-update.ru/**********


– Adresa este urmatoarea:
   • http://rix.messenger-update.ru/**********




Incearca sa execute urmatoarele fisiere:

– Numele fisierului:
   • ipconfig /flushdns


– Numele fisierului:
   • sc delete K7RTScan


– Numele fisierului:
   • CMD /C sc stop K7TSMngr


– Numele fisierului:
   • CMD /C sc config K7TSMngr start= disabled


– Numele fisierului:
   • net stop K7TSMngr


– Numele fisierului:
   • sc stop K7TSMngr


– Numele fisierului:
   • CMD /C sc delete K7TSMngr


– Numele fisierului:
   • net1 stop K7TSMngr


– Numele fisierului:
   • sc config K7TSMngr start= disabled


– Numele fisierului:
   • CMD /C net stop "avast! Antivirus"


– Numele fisierului:
   • sc delete K7TSMngr


– Numele fisierului:
   • CMD /C net stop K7RTScan


– Numele fisierului:
   • CMD /C sc stop "avast! Antivirus"


– Numele fisierului:
   • net stop "avast! Antivirus"


– Numele fisierului:
   • CMD /C sc config "avast! Antivirus" start= disabled


– Numele fisierului:
   • sc stop "avast! Antivirus"


– Numele fisierului:
   • CMD /C sc delete "avast! Antivirus"


– Numele fisierului:
   • net1 stop "avast! Antivirus"


– Numele fisierului:
   • sc config "avast! Antivirus" start= disabled


– Numele fisierului:
   • CMD /C net stop SAVService


– Numele fisierului:
   • sc delete acssrv


– Numele fisierului:
   • CMD /C sc stop SAVService


– Numele fisierului:
   • CMD /C sc stop K7RTScan


– Numele fisierului:
   • net stop SAVService


– Numele fisierului:
   • CMD /C sc config SavService start= disabled


– Numele fisierului:
   • sc stop SAVService


– Numele fisierului:
   • CMD /C sc delete SAVService


– Numele fisierului:
   • net1 stop SAVService


– Numele fisierului:
   • sc config SavService start= disabled


– Numele fisierului:
   • CMD /C net stop SAVAdminService


– Numele fisierului:
   • sc delete SAVService


– Numele fisierului:
   • CMD /C sc stop SAVAdminService


– Numele fisierului:
   • net stop SAVAdminService


– Numele fisierului:
   • CMD /C sc config K7RTScan start= disabled


– Numele fisierului:
   • CMD /C sc config SAVAdminService start= disabled


– Numele fisierului:
   • CMD /C sc delete SAVAdminService


– Numele fisierului:
   • sc stop SAVAdminService


– Numele fisierului:
   • net1 stop SAVAdminService


– Numele fisierului:
   • sc config SAVAdminService start= disabled


– Numele fisierului:
   • CMD /C net stop "Sophos AutoUpdate Service"


– Numele fisierului:
   • sc delete SAVAdminService


– Numele fisierului:
   • CMD /C sc stop "Sophos AutoUpdate Service"


– Numele fisierului:
   • net stop "Sophos AutoUpdate Service"


– Numele fisierului:
   • CMD /C sc config "Sophos AutoUpdate Service" start= disabled


– Numele fisierului:
   • net stop K7RTScan


– Numele fisierului:
   • CMD /C sc delete "Sophos AutoUpdate Service"


– Numele fisierului:
   • sc stop "Sophos AutoUpdate Service"


– Numele fisierului:
   • net1 stop "Sophos AutoUpdate Service"


– Numele fisierului:
   • sc config "Sophos AutoUpdate Service" start= disabled


– Numele fisierului:
   • CMD /C net stop "Sophos Client Firewall"


– Numele fisierului:
   • sc delete "Sophos AutoUpdate Service"


– Numele fisierului:
   • CMD /C sc stop "Sophos Client Firewall"


– Numele fisierului:
   • net stop "Sophos Client Firewall"


– Numele fisierului:
   • CMD /C sc config "Sophos Client Firewall" start= disabled


– Numele fisierului:
   • sc stop "Sophos Client Firewall"


– Numele fisierului:
   • sc stop K7RTScan


– Numele fisierului:
   • CMD /C sc delete "Sophos Client Firewall"


– Numele fisierului:
   • sc config "Sophos Client Firewall" start= disabled


– Numele fisierului:
   • net1 stop "Sophos Client Firewall"


– Numele fisierului:
   • CMD /C net stop "Sophos Client Firewall Manager"


– Numele fisierului:
   • sc delete "Sophos Client Firewall"


– Numele fisierului:
   • CMD /C sc stop "Sophos Client Firewall Manager"


– Numele fisierului:
   • net stop "Sophos Client Firewall Manager"


– Numele fisierului:
   • CMD /C sc config "Sophos Client Firewall Manager" start= disabled


– Numele fisierului:
   • sc stop "Sophos Client Firewall Manager"


– Numele fisierului:
   • CMD /C sc delete "Sophos Client Firewall Manager"


– Numele fisierului:
   • CMD /C sc delete K7RTScan


– Numele fisierului:
   • net1 stop "Sophos Client Firewall Manager"


– Numele fisierului:
   • sc config "Sophos Client Firewall Manager" start= disabled


– Numele fisierului:
   • sc delete "Sophos Client Firewall Manager"


– Numele fisierului:
   • sc config K7RTScan start= disabled


– Numele fisierului:
   • net1 stop K7RTScan


– Numele fisierului:
   • CMD /C net stop K7TSMngr

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



Creeaza urmatoarea valoare, pentru a trece de Windows firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="stacsv.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\stacsv.exe"="DisableNXShowUI"

 Messenger Se raspandeste prin messenger. Caracteristicile sunt:

– MSN Messenger
– Yahoo Messenger

URL-ul trimte la o copie a malware-ului descris. Daca utilizatorul descarca si executa acest fisier, procesul de infectare porneste din nou.

 Reţea Pentru a-si asigura raspandirea, programul malware incearca sa contacteze alte sisteme, asa cum este descris in continuare:


Exploit:
Foloseste urmatoarele vulnerabilitati:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


Generarea adreselor IP:
Creeaza adrese IP aleatoare, pastrand primul octet din propria adresa. Apoi incearca sa contacteze adresele create.

 IRC Pentru a trimite informatii si pentru a fi controlat se conecteaza la serverele IRC:

Server: srv3.fas**********.info
Port: 6501
Canal: #nase#
Nick: USA|NS4|0|XP|%numar%

Server: srv3.man**********.ru
Port: 41350
Canal: #nase#
Nick: USA|NS4|0|XP|%numar%

Server: srv3.cor**********.info
Port: 7302
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.mes**********.ru
Port: 31960
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.fas**********.info
Port: 31960
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.spi**********.info
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.tra**********.info
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.tri**********.info
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.pde**********.info
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

Server: srv3.fxp**********.info
Canal: #nase#
Nick: N|USA|NS4|0|XP|%numar%

 Fisiere host Fisierul

– Accesul la urmatoarele domenii este redirectionat catre alte destinatii:
   • 171.168.85.149 msnfix.changelog.fr;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 virusinfo.prevx.com;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 www.dazhizhu.cn; 171.168.85.149 foro.noticias3d.com;
      171.168.85.149 www.spybotupdates.com; 171.168.85.149 club.myce.com;
      171.168.85.149 www.k7computing.com;
      171.168.85.149 softwaresecuritysolutions.com;
      171.168.85.149 www.nabble.com; 171.168.85.149 lurker.clamav.net;
      171.168.85.149 lexikon.ikarus.at;
      171.168.85.149 research.sunbelt-software.com;
      171.168.85.149 www.virusdoctor.jp; 171.168.85.149 www.elitepvpers.de;
      171.168.85.149 guru.avg.com; 171.168.85.149 downloads.sophos.com;
      171.168.85.149 share.skype.com; 171.168.85.149 myantispyware.com;
      171.168.85.149 www.computerhilfen.de;
      171.168.85.149 www.superuser.co.kr; 171.168.85.149 ntfaq.co.kr;
      171.168.85.149 v.dreamwiz.com; 171.168.85.149 cit.kookmin.ac.kr;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 forum.hijackthis.de; 171.168.85.149 avg.vo.llnwd.net;
      171.168.85.149 ftp.drweb.com; 171.168.85.149 www.zonealarm.com;
      171.168.85.149 smadaver.com; 171.168.85.149 support.emsisoft.com;
      171.168.85.149 www.huaifai.go.th; 171.168.85.149 www.mostz.com;
      171.168.85.149 www.krupunmai.com; 171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 forum.malekal.com; 171.168.85.149 tech.pantip.com;
      171.168.85.149 sapcupgrades.com;
      171.168.85.149 www.elguruinformatico.com;
      171.168.85.149 forums.avg.com; 171.168.85.149 zastita.com;
      171.168.85.149 support.kaspersky.com; 171.168.85.149 www.247fixes.com;
      171.168.85.149 forum.sysinternals.com;
      171.168.85.149 forum.telecharger.01net.com; 171.168.85.149 sophos.com;
      171.168.85.149 foros.softonic.com;
      171.168.85.149 avast-home.uptodown.com;
      171.168.85.149 dr-web-cureit.softonic.com;
      171.168.85.149 heavenward.ru; 171.168.85.149 forum.smadav.net;
      171.168.85.149 www.forum.kaspersky.com;
      171.168.85.149 www.f-secure.com; 171.168.85.149 www.chkrootkit.org;
      171.168.85.149 diamondcs.com.au; 171.168.85.149 www.rootkit.nl;
      171.168.85.149 www.sysinternals.com; 171.168.85.149 z-oleg.com;
      171.168.85.149 espanol.dir.groups.yahoo.com;
      171.168.85.149 ftp01net.telechargement.fr;
      171.168.85.149 modelayu.com; 171.168.85.149 vaksin.com;
      171.168.85.149 bbs.kaspersky.com.cn;
      171.168.85.149 www.castlecrops.com; 171.168.85.149 www.misec.net;
      171.168.85.149 safecomputing.umn.edu;
      171.168.85.149 www.antirootkit.com; 171.168.85.149 www.greatis.com;
      171.168.85.149 ar.answers.yahoo.com; 171.168.85.149 www.elhacker.org;
      171.168.85.149 research.pandasecurity.com; 171.168.85.149 www.tpu.ro;
      171.168.85.149 www.pinoyden.com; 171.168.85.149 forum.avira.de;
      171.168.85.149 www.rootkit.com; 171.168.85.149 www.pctools.com;
      171.168.85.149 www.pcsupportadvisor.com;
      171.168.85.149 www.resplendence.com;
      171.168.85.149 www.personal.psu.edu; 171.168.85.149 foro.ethek.com;
      171.168.85.149 foro.elhacker.net;
      171.168.85.149 download.zonealarm.com;
      171.168.85.149 spywarehammer.com; 171.168.85.149 www.codelain.com;
      171.168.85.149 www.thaicert.org; 171.168.85.149 vil.nail.com;
      171.168.85.149 search.mcafee.com; 171.168.85.149 wwww.mcafee.com;
      171.168.85.149 download.nai.com;
      171.168.85.149 wwww.experts-exchange.com;
      171.168.85.149 www.bakunos.com; 171.168.85.149 www.darkclockers.com;
      171.168.85.149 www2.gmer.net; 171.168.85.149 ariefew.com;
      171.168.85.149 www.emsisoft.com; 171.168.85.149 forum.romeonet.ro;
      171.168.85.149 www.Merijn.org; 171.168.85.149 www.spywareinfo.com;
      171.168.85.149 www.spybot.info; 171.168.85.149 www.viruslist.com;
      171.168.85.149 www.hijackthis.de; 171.168.85.149 ftp.f-secure.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 es.trendmicro-europe.com;
      171.168.85.149 www.hvaonline.net; 171.168.85.149 forum.lowyat.net;
      171.168.85.149 kb.eset.com; 171.168.85.149 majorgeeks.com;
      171.168.85.149 www.avp.com; 171.168.85.149 www.virustotal.com;
      171.168.85.149 www.sophos.com;
      171.168.85.149 linhadefensiva.uol.com.br; 171.168.85.149 cmmings.cn;
      171.168.85.149 www.sergiwa.com; 171.168.85.149 www.el-hacker.com;
      171.168.85.149 dl2.agnitum.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 images.malwareremoval.com;
      171.168.85.149 www.avg-antivirus.net;
      171.168.85.149 www.kaspersky-labs.com;
      171.168.85.149 www.kaspersky.com;
      171.168.85.149 www.bleepingcomputer.com;
      171.168.85.149 www.free.grisoft.com;
      171.168.85.149 alerta-antivirus.inteco.es; 171.168.85.149 greatis.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 www.gmer.net;
      171.168.85.149 forum.kasperskyclub.com;
      171.168.85.149 securityresponse.symantec.com;
      171.168.85.149 www.analysis.seclab.tuwien.ac.at;
      171.168.85.149 www.symantec.com; 171.168.85.149 www.kztechs.com;
      171.168.85.149 ad-aware-se.uptodown.com;
      171.168.85.149 stdio-labs.blogspot.com;
      171.168.85.149 forum.lrytas.lt; 171.168.85.149 www.decido.de;
      171.168.85.149 wap.elakiri.com;
      171.168.85.149 liveupdate.symantecliveupdate.com;
      171.168.85.149 liveupdate.symantec.com;
      171.168.85.149 customer.symantec.com;
      171.168.85.149 update.symantec.com; 171.168.85.149 www.box.net;
      171.168.85.149 foro.el-hacker.com;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 egavisa.blogspot.com; 171.168.85.149 angui123.cn;
      171.168.85.149 beta.eset.com; 171.168.85.149 www.mcafee.com;
      171.168.85.149 www.free.avg.com; 171.168.85.149 download.mcafee.com;
      171.168.85.149 mast.mcafee.com; 171.168.85.149 www.tecno-soft.com;
      171.168.85.149 ladooscuro.es; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 download.microsoft.com;
      171.168.85.149 www.mypcsafe.com; 171.168.85.149 www.blindedbytech.com;
      171.168.85.149 kaspersky.com; 171.168.85.149 guru0.grisoft.cz;
      171.168.85.149 guru1.grisoft.cz; 171.168.85.149 guru2.grisoft.cz;
      171.168.85.149 guru3.grisoft.cz;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 it.answers.yahoo.com; 171.168.85.149 www.softonic.com;
      171.168.85.149 www.mycity.rs; 171.168.85.149 cairopt.net;
      171.168.85.149 rootrepeal.googlepages.com;
      171.168.85.149 guru4.grisoft.cz; 171.168.85.149 guru5.grisoft.cz;
      171.168.85.149 www.virusspy.com; 171.168.85.149 download.f-secure.com;
      171.168.85.149 www.malwareremoval.com; 171.168.85.149 forums.cnet.com;
      171.168.85.149 foros.softonic.com; 171.168.85.149 www.freedrweb.com;
      171.168.85.149 www.kaskus.us; 171.168.85.149 rootrepeal.psikotick.com;
      171.168.85.149 thaicert.nectec.or.th;
      171.168.85.149 hjt-data.trend-braintree.com;
      171.168.85.149 www.pantip.com; 171.168.85.149 secubox.aldria.com;
      171.168.85.149 www.forospyware.com;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.leforo.com;
      171.168.85.149 www.gsmph.com; 171.168.85.149 blokvesti.net;
      171.168.85.149 www.viprasys.org; 171.168.85.149 forum.antivir-pe.de;
      171.168.85.149 www.siteadvisor.com;
      171.168.85.149 blog.threatfire.com;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 blog.hispasec.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 sosvirus.changelog.fr; 171.168.85.149 www.psicofxp.com;
      171.168.85.149 www.gsmph.net; 171.168.85.149 www.gyakorikerdesek.hu;
      171.168.85.149 us.mcafee.com; 171.168.85.149 mailcenter.rising.com.cn;
      171.168.85.149 mailcenter.rising.com;
      171.168.85.149 www.rising.com.cn; 171.168.85.149 www.rising.com;
      171.168.85.149 www.babooforum.com.br;
      171.168.85.149 www.runscanner.net;
      171.168.85.149 www.blogschapines.com; 171.168.85.149 www.zyzoom.org;
      171.168.85.149 www.avsoft.ru; 171.168.85.149 www.elakiri.com;
      171.168.85.149 sosvirus.changelog.fr;
      171.168.85.149 upload.changelog.fr; 171.168.85.149 www.raymond.cc;
      171.168.85.149 changelog.fr; 171.168.85.149 www.pcentraide.com;
      171.168.85.149 atazita.blogspot.com; 171.168.85.149 www.thinkpad.cn;
      171.168.85.149 www.sunbeltsoftware.com; 171.168.85.149 cert.inteco.es;
      171.168.85.149 www.gamexeon.com;
      171.168.85.149 nod32-antivirus.en.softonic.co;
      171.168.85.149 www.final4ever.com; 171.168.85.149 files.filefont.com;
      171.168.85.149 www.infos-du-net.com;
      171.168.85.149 www.trendsecure.com; 171.168.85.149 forum.hardware.fr;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 blogs.icerocket.com; 171.168.85.149 www.spywarefri.dk;
      171.168.85.149 alfrasha.maktoob.com; 171.168.85.149 www.eset.eu;
      171.168.85.149 www.spychecker.com; 171.168.85.149 www.geekstogo.com;
      171.168.85.149 forums.maddoktor2.com;
      171.168.85.149 www.smokey-services.eu; 171.168.85.149 www.clubic.com;
      171.168.85.149 www.linhadefensiva.org;
      171.168.85.149 www.rolandovera.com; 171.168.85.149 forum.burek.com;
      171.168.85.149 secure.sophos.com; 171.168.85.149 usa.kaspersky.com;
      171.168.85.149 download.sysinternals.com;
      171.168.85.149 www.pcguide.com; 171.168.85.149 www.thetechguide.com;
      171.168.85.149 www.ozzu.com; 171.168.85.149 www.changedetection.com;
      171.168.85.149 espanol.groups.yahoo.com;
      171.168.85.149 www.sunbeltsecurity.com;
      171.168.85.149 www.quickheal.co.in; 171.168.85.149 www.vivalared.com;
      171.168.85.149 community.thaiware.com;
      171.168.85.149 www.avpclub.ddns.info;
      171.168.85.149 www.offensivecomputing.net;
      171.168.85.149 www.grisoft.com; 171.168.85.149 boardreader.com;
      171.168.85.149 www.guiadohardware.net; 171.168.85.149 www.webroot.com;
      171.168.85.149 www.thehelper.net; 171.168.85.149 www.kaldata.com;
      171.168.85.149 vil.nai.com; 171.168.85.149 www.msnvirusremoval.com;
      171.168.85.149 www.cisrt.org; 171.168.85.149 fixmyim.com;
      171.168.85.149 samroeng.hi5.com; 171.168.85.149 foro.elhacker.net;
      171.168.85.149 www.daboweb.com; 171.168.85.149 service1.symantec.com;
      171.168.85.149 us3.download.comodo.com;
      171.168.85.149 forum.gsmhosting.com;
      171.168.85.149 www.computerforum.com;
      171.168.85.149 forums.techguy.org;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 hijackthis.download3000.com;
      171.168.85.149 www.cybertechhelp.com;
      171.168.85.149 www.superdicas.com.br; 171.168.85.149 www.51nb.com;
      171.168.85.149 us4.download.comodo.com; 171.168.85.149 www.jbtalks.cc;
      171.168.85.149 ad13.geekstogo.com;
      171.168.85.149 downloads.andymanchesta.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 info.prevx.com;
      171.168.85.149 aknow.prevx.com; 171.168.85.149 www.zonavirus.com;
      171.168.85.149 securitywonks.net; 171.168.85.149 www.yoreparo.com;
      171.168.85.149 www.spywarecease.com;
      171.168.85.149 forum.dobreprogramy.pl;
      171.168.85.149 community.mcafee.com; 171.168.85.149 www.lavasoft.com;
      171.168.85.149 www.virscan.org; 171.168.85.149 www.eeload.com;
      171.168.85.149 down.www.kingsoft.com; 171.168.85.149 www.file.net;
      171.168.85.149 onecare.live.com; 171.168.85.149 mvps.org;
      171.168.85.149 www.laneros.com; 171.168.85.149 www.pc1news.com;
      171.168.85.149 forum.avira.com;
      171.168.85.149 downloads.novirusthanks.org;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.avast.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.onlinescan.avast.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.trucoswindows.net;
      171.168.85.149 www.mozilla-hispano.org;
      171.168.85.149 www.jackbloodforum.com;
      171.168.85.149 www.kosandpol.elakiri.com;
      171.168.85.149 www.futurenow.bitdefender.com;
      171.168.85.149 www.bitdefender.com; 171.168.85.149 www.f-prot.com;
      171.168.85.149 www.trendsecure.com;
      171.168.85.149 security.symantec.com;
      171.168.85.149 oldtimer.geekstogo.com;
      171.168.85.149 sopiansantosa.blogspot.com;
      171.168.85.149 www.fileresearchcenter.com;
      171.168.85.149 www.looktr.com; 171.168.85.149 www.avira.com;
      171.168.85.149 www.eset.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.free-av.com; 171.168.85.149 kr.ahnlab.com;
      171.168.85.149 www.eset.com; 171.168.85.149 forospyware.com;
      171.168.85.149 thejokerx.blogspot.com; 171.168.85.149 cairopt.net;
      171.168.85.149 oolbar.cyberdefender.com;
      171.168.85.149 golpe.dyndns.org; 171.168.85.149 www.2-spyware.com;
      171.168.85.149 www.antivir.es; 171.168.85.149 www.prevx.com;
      171.168.85.149 www.ikarus.net; 171.168.85.149 bbs.s-sos.net;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.superdicas.com.br;
      171.168.85.149 www.superantispyware.com;
      171.168.85.149 www.unhackme.com; 171.168.85.149 www.askmehelpdesk.com;
      171.168.85.149 www.forums.majorgeeks.com;
      171.168.85.149 www.castlecops.com; 171.168.85.149 www.virusspy.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 www.kaspersky.es;
      171.168.85.149 subs.geekstogo.com; 171.168.85.149 www.forospanish.com;
      171.168.85.149 blog.rnsafe.com; 171.168.85.149 www.regrun.com;
      171.168.85.149 irc.snahosting.net; 171.168.85.149 www.trendmicro.com;
      171.168.85.149 www.fortinet.com;
      171.168.85.149 www.safer-networking.org;
      171.168.85.149 www.fortiguardcenter.com;
      171.168.85.149 www.dougknox.com; 171.168.85.149 www.vsantivirus.com;
      171.168.85.149 static.commentcamarche.net;
      171.168.85.149 www.gyakorikerdesek.hu; 171.168.85.149 www.fixya.com;
      171.168.85.149 www.firewallguide.com;
      171.168.85.149 www.auditmypc.com; 171.168.85.149 www.spywaredb.com;
      171.168.85.149 www.mxttchina.com; 171.168.85.149 www.ziggamza.net;
      171.168.85.149 www.forospyware.es;
      171.168.85.149 pogonyuto.forospanish.com;
      171.168.85.149 spywarefiles.prevx.com;
      171.168.85.149 k2r.th3kings.net;
      171.168.85.149 www.betterantivirus.com;
      171.168.85.149 www.antivirus.comodo.com;
      171.168.85.149 www.spywareterminator.com;
      171.168.85.149 www.eradicatespyware.net;
      171.168.85.149 www.freespywareremoval.info;
      171.168.85.149 www.personalfirewall.comodo.com;
      171.168.85.149 wakoopa.com; 171.168.85.149 forum.drweb.com;
      171.168.85.149 bb1.th3kings.net;
      171.168.85.149 www.commentcamarche.net; 171.168.85.149 www.clamav.net;
      171.168.85.149 www.antivirus.about.com;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 www.webphand.com;
      171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 www.securitywonks.net;
      171.168.85.149 www.messengeradictos.com;
      171.168.85.149 www.geekpolice.net; 171.168.85.149 bub.th3kings.net;
      171.168.85.149 www.sandboxie.com; 171.168.85.149 www.clamwin.com;
      171.168.85.149 www.cwsandbox.org; 171.168.85.149 www.ca.com;
      171.168.85.149 www.arswp.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.trucoswindows.es;
      171.168.85.149 www.ipaddresser.com; 171.168.85.149 www.abgenis.net;
      171.168.85.149 www.freefixer.com; 171.168.85.149 forums.afterdawn.com;
      171.168.85.149 www.networkworld.com;
      171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 www.norman.com;
      171.168.85.149 espanol.answers.yahoo.com;
      171.168.85.149 www.tallemu.com; 171.168.85.149 foro.portalhacker.net;
      171.168.85.149 www.groupwhere.org;
      171.168.85.149 sniff.runescapetube.com; 171.168.85.149 virscan.org;
      171.168.85.149 www.viruschief.com; 171.168.85.149 scanner.virus.org;
      171.168.85.149 www.hijackthis.de;
      171.168.85.149 housecall65.trendmicro.com;
      171.168.85.149 www.guiadohardware.net;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 mustlovewine.com; 171.168.85.149 www3.malekal.com;
      171.168.85.149 esetnod32antivirus.blogspot.com;
      171.168.85.149 hjt.networktechs.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 www.whatthetech.com; 171.168.85.149 www.soccersuck.com;
      171.168.85.149 www.pcentraide.com;
      171.168.85.149 comunidad.wilkinsonpc.com.co;
      171.168.85.149 forum.hocit.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 fgp.e2doo.com; 171.168.85.149 community.thaiware.com;
      171.168.85.149 forum.piriform.com;
      171.168.85.149 www.tweaksforgeeks.com; 171.168.85.149 www.daniweb.com;
      171.168.85.149 www.geekstogo.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 dnl-eu8.kaspersky-labs.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 shv4.ath.cx;
      171.168.85.149 www.pcworld.com; 171.168.85.149 www.pchell.com;
      171.168.85.149 www.spyany.com; 171.168.85.149 forums.techguy.org;
      171.168.85.149 www.experts-exchange.com; 171.168.85.149 www.wikio.es;
      171.168.85.149 www.pandasecurity.com;
      171.168.85.149 forums.devshed.com;
      171.168.85.149 devbuilds.kaspersky-labs.com;
      171.168.85.149 hana-ahmad.blogspot.com;
      171.168.85.149 forum.tweaks.com;
      171.168.85.149 www.wilderssecurity.com;
      171.168.85.149 www.techspot.com;
      171.168.85.149 www.thecomputerpitstop.com;
      171.168.85.149 es.wasalive.com; 171.168.85.149 secunia.com;
      171.168.85.149 www.killtrojan.net; 171.168.85.149 www.ulop.net;
      171.168.85.149 www.eliters.com;
      171.168.85.149 sip4.voipkosovasite.com; 171.168.85.149 es.kioskea.net;
      171.168.85.149 www.taringa.net; 171.168.85.149 www.cyberdefender.com;
      171.168.85.149 www.feedage.com; 171.168.85.149 new.taringa.net;
      171.168.85.149 forum.zazana.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 mks.com.pl; 171.168.85.149 www.vietcaravan.us;
      171.168.85.149 trbotnet.sytes.net; 171.168.85.149 www.computing.net;
      171.168.85.149 discussions.virtualdr.com;
      171.168.85.149 forum.securitycadets.com;
      171.168.85.149 www.techimo.com; 171.168.85.149 13iii.com;
      171.168.85.149 www.dicasweb.com.br;
      171.168.85.149 www.javacoolsoftware.net; 171.168.85.149 cofradia.org;
      171.168.85.149 wasteland-bg.com; 171.168.85.149 www.windowexe.com;
      171.168.85.149 www.infosecpodcast.com;
      171.168.85.149 www.usbcleaner.cn; 171.168.85.149 www.net-security.org;
      171.168.85.149 www.bleedingthreats.net;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 www.funkytoad.com; 171.168.85.149 malwarebytes.org;
      171.168.85.149 sabithpocker.blogspot.com;
      171.168.85.149 comprolive.vox.com; 171.168.85.149 www.360safe.cn;
      171.168.85.149 www.360safe.com; 171.168.85.149 bbs.360safe.cn;
      171.168.85.149 bbs.360safe.com; 171.168.85.149 codehard.wordpress.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 antitrick.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 www.jiwang.org;
      171.168.85.149 anti-virus-software-review.toptenreviews.com;
      171.168.85.149 www.360.cn; 171.168.85.149 www.360.com;
      171.168.85.149 bbs.360safe.cn; 171.168.85.149 bbs.360safe.com;
      171.168.85.149 www.forospyware.es; 171.168.85.149 p3dev.taringa.net;
      171.168.85.149 www.precisesecurity.com;
      171.168.85.149 dlpe.antivir.com; 171.168.85.149 www.jvme.com;
      171.168.85.149 share.skype.com; 171.168.85.149 comprolive.com;
      171.168.85.149 gotoknow.org; 171.168.85.149 baike.360.cn;
      171.168.85.149 baike.360.com; 171.168.85.149 kaba.360.cn;
      171.168.85.149 kaba.360.com; 171.168.85.149 deckard.geekstogo.com;
      171.168.85.149 www.taringa.net; 171.168.85.149 forums.comodo.com;
      171.168.85.149 www.mvps.org; 171.168.85.149 melcy.wordpress.com;
      171.168.85.149 forum.softpedia.com;
      171.168.85.149 pcvids.wordpress.com; 171.168.85.149 down.360safe.cn;
      171.168.85.149 down.360safe.com; 171.168.85.149 x.360safe.com;
      171.168.85.149 dl.360safe.com; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 www.hotshare.net; 171.168.85.149 es.wasalive.com;
      171.168.85.149 free.antivirus.com; 171.168.85.149 forum.hocit.com;
      171.168.85.149 destavision-forum.com;
      171.168.85.149 inspiresoft.blogspot.com;
      171.168.85.149 updatem.360safe.com; 171.168.85.149 updatem.360safe.cn;
      171.168.85.149 update.360safe.cn; 171.168.85.149 update.360safe.com;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 www.indowebster.web.id; 171.168.85.149 zastita.com;
      171.168.85.149 www.sz-pet.com; 171.168.85.149 foros.abcdatos.com;
      171.168.85.149 bbs.duba.net; 171.168.85.149 www.duba.net;
      171.168.85.149 zhidao.baidu.com; 171.168.85.149 hi.baidu.com;
      171.168.85.149 www.drweb.com.es;
      171.168.85.149 msncleaner.softonic.com;
      171.168.85.149 www.javacoolsoftware.com;
      171.168.85.149 beniono.wordpress.com;
      171.168.85.149 www.4-gsmteam.com;
      171.168.85.149 msntubers.freehostia.com;
      171.168.85.149 file.ikaka.com; 171.168.85.149 file.ikaka.cn;
      171.168.85.149 bbs.ikaka.com; 171.168.85.149 zhidao.ikaka.com;
      171.168.85.149 www.eset-la.com; 171.168.85.149 download.eset.com;
      171.168.85.149 software-files.download.com;
      171.168.85.149 www.faravirusi.com; 171.168.85.149 www.winbots.es;
      171.168.85.149 forum.chip.de; 171.168.85.149 www.thailandsusu.com;
      171.168.85.149 www.ikaka.com; 171.168.85.149 www.ikaka.cn;
      171.168.85.149 bbs.cfan.com.cn; 171.168.85.149 www.cfan.com.cn;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 es.mcafee.com;
      171.168.85.149 downloads.malwarebytes.org;
      171.168.85.149 www.devirusare.com; 171.168.85.149 forum.skype.com;
      171.168.85.149 shitit.net; 171.168.85.149 www.webimmune.net;
      171.168.85.149 bbs.kafan.cn; 171.168.85.149 bbs.kafan.com;
      171.168.85.149 bbs.kpfans.com; 171.168.85.149 bbs.taisha.org;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 support.f-secure.com; 171.168.85.149 bbs.winzheng.com;
      171.168.85.149 devirusare.com; 171.168.85.149 social.microsoft.com;
      171.168.85.149 www.shitit.net; 171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 alerta-antivirus.inteco.es;
      171.168.85.149 foros.zonavirus.com;
      171.168.85.149 alerta-antivirus.red.es;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.malwarebytes.org;
      171.168.85.149 www.commentcamarche.net;
      171.168.85.149 news.support.veritas.com;
      171.168.85.149 www.zonealarm.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.infospyware.com; 171.168.85.149 www.bitdefender.es;
      171.168.85.149 housecall.trendmicro.com;
      171.168.85.149 foros.toxico-pc.com; 171.168.85.149 www.identi.es;
      171.168.85.149 es.kioskea.net; 171.168.85.149 virusinfo.info;
      171.168.85.149 forums.zonealarm.com;
      171.168.85.149 foro.infiernohacker.com;
      171.168.85.149 www.emsisoft.de;
      171.168.85.149 www.securitynewsportal.com;
      171.168.85.149 irc.ekizmedia.com;
      171.168.85.149 zone.arminboutique.com;
      171.168.85.149 story.dnsentrymx.com


 Injectarea codului malware in alte procese – Se injecteaza ca un thread remote intr-un proces.

    Numele procesului:
   • explorer.exe


 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Wednesday, May 5, 2010
Description updated by Petre Galan on Wednesday, May 5, 2010

Back . . . .