Full description

Nume:	TR/Oficla.W.1
Descoperit pe data de:	14/07/2010
Tip:	Troian
ITW:	Da
Numar infectii raportate:	Scazut
Potential de raspandire:	Mediu
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	862528 Bytes
MD5:	41B2DBB997CE5FF443DD5594EB6BCFF2
Versiune IVDF:	7.10.09.86 - Wednesday, July 14, 2010

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • F-Secure: Trojan-Downloader:W32/Oficla.GX
   • Sophos: Mal/FakeAV-BW

Sistem de operare:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza un fisier
   • Modificari in registri
   • Sustrage informatii

Fisiere Se copiaza in urmatoarea locatie (fisierul are atasate la sfarsit caractere aleatorii si se diferentiaza astfel de original):
• %SYSDIR%\svrwsc.exe

Este creat fisierul:

– Fisier inofensiv:
• %WINDIR%\Debug\UserMode\userenv.log

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciile la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=hex(2):%valori hex%
   • "DisplayName"="Windows Security Center Service"
   • "ObjectName"="LocalSystem"
   • "Description"="The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
   •

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Security]
   • "Security"=hex:%valori hex%

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Enum]
   • "0"="Root\LEGACY_SVRWSC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC\0000]
   • "Service"="SvrWsc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Windows Security Center Service"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\DirectX\MSA]
   • "ver"=hex(b):cd,a2,c7,01,38,6b,01,d1
   • "X1"=hex:%valori hex%

– [HKLM\SOFTWARE\Microsoft\DirectX\MSB]
   • "X1"=hex:00,00,00,00

Backdoor Servere contactate:

• m**********ng.ru/music/forum/index1.php

In plus, conexiunea e reluata periodic. Aceasta se face prin metoda HTTP POST, folosind un script PHP.

Description inserted by Patrick Schoenherr on Wednesday, July 14, 2010
Description updated by Patrick Schoenherr on Wednesday, July 14, 2010

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools