Nume:TR/Click.awyu.98816
Descoperit pe data de:20/05/2010
Tip:Troian
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:439.808 Bytes
MD5:de8628c816e0fe9bb6037713f65411b5
Versiune IVDF:7.10.07.148 - Thursday, May 20, 2010

 General Metode de raspandire:
   • Email
   • Peer to Peer


Alias:
   •  Sophos: Troj/JSRedir-CC
   •  Bitdefender: Rootkit.36329
   •  Panda: W32/P2PShared.U
   •  Eset: Win32/Merond.O


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Reduce setarile de securitate
   • Descarca fisiere malware
   • Creeaza fisiere malware
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\AdobeARMI.exe



Sterge urmatorul fisier:
   • %SYSDIR%\adobereader.exe



Sunt create fisierele:

– %PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: JS/Dursg.G

– %PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
– %HOME%\Application Data\SystemProc\lsass.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Buzus.ecqp

– %SYSDIR%\adobereader.exe Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Buzus.ecqp

– %PROGRAM FILES%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest



Incearca sa descarce cateva fisiere:

– Adresa este urmatoarea:
   • http://controllqz.com/**********?aid=%sir de caractere%


– Adresa este urmatoarea:
   • http://oxoblaster.com/**********?pop=%numar%&aid&sid&key


– Adresa este urmatoarea:
   • http://tetrosearch.com/**********?aid&ver


– Adresele sunt urmatoarele:
   • http://simfreebox.com/**********?sd=%sir de caractere%&aid=%sir de caractere%
   • http://position7.com/**********?sd=%sir de caractere%&aid=%sir de caractere%
   • http://rtsmor.com/**********?sd=%sir de caractere%&aid=%sir de caractere%
   • http://qulino.com/**********?sd=%sir de caractere%&aid=%sir de caractere%




Incearca sa execute urmatoarele fisiere:

– Numele fisierului:
   • "%SYSDIR%\adobereader.exe"


– Numele fisierului:
   • "%HOME%\Application Data\SystemProc\lsass.exe"

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Adobe Reader Updater6"="%SYSDIR%\AdobeARMI.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "RTHDBPL"="%HOME%\Application Data\SystemProc\lsass.exe"



Valorile urmatoarelor chei sunt sterse din registrii sistemului:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • AVG8_TRAY
   • AVP
   • BDAgent
   • CAVRID
   • DrWebScheduler
   • F-PROT Antivirus Tray application
   • ISTray
   • K7SystemTray
   • K7TSStart
   • McENUI
   • MskAgentexe
   • OfficeScanNT Monitor
   • RavTask
   • SBAMTray
   • SCANINICIO
   • SpIDerMail
   • Spam Blocker for Outlook Express
   • SpamBlocker
   • Windows Defender
   • avast!
   • cctray
   • egui
   • sbamui

–  [HKCU\Identities]
   • First Start
   • KillSelf
   • Send Inst



Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\AdobeARMI.exe"="%SYSDIR%\AdobeARMI.exe:*:Enabled:Explorer"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "EnableLUA"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "adobe076"="07"
   • "adobe086"="30"

– [HKCU\Identities]
   • "Curr version"="25"
   • "Inst Date"="%data curenta%"
   • "Last Date"="%data curenta%"
   • "Popup count"="0"
   • "Popup date"="0"
   • "Popup time"="0"

 Email Are un motor SMTP integrat. Va fi facuta o conexiune directa cu serverul destinatar. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Catre:
– Adrese de email gasite pe sistem.
– Adrese de email obtinute din WAB (Windows Address Book)


Subiect:
Unul din urmatoarele:
   • Cindy would like to be your friend on hi5!
   • Shipping update for your Amazon.com order
   • Thank you from Google!
   • You have got a new message on Facebook!
   • You have received A Hallmark E-Card!
   • Your friend invited you to Twitter!



Corpul email-ului:
– Contine cod HTML.


Atasament:



Cateva exemple de nume al fisierului atasat:
   • Facebook message.zip
   • Invitation Card.zip
   • Postcard.zip
   • Shipping documents.zip

Atasamentul este o arhiva ce contine chiar o copie malware.

 P2P  Pentru a infecta alte sisteme din retele Peer-to-Peer, efectueaza urmatarele operatii: Cauta urmatoarele directoare:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   Daca reuseste, sunt create urmatoarele fisiere:
   • YouTubeGet 5.6.exe; Youtube Music Downloader 1.3.exe; WinRAR v3.x
      keygen [by HiXem].exe; Windows2008 keygen and activator.exe; [+ MrKey
      +] Windows XP PRO Corp SP3 valid-key generator.exe; Windows Password
      Cracker + Elar3 key.exe; [Eni0j0 team] Windows 7 Ultimate keygen.exe;
      Windows 2008 Enterprise Server VMWare Virtual Machine.exe;
      Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe; Website Hacker.exe;
      [Eni0j0 team] Vmvare keygen.exe; VmWare 7.x keygen.exe; UT 2003
      KeyGen.exe; Twitter FriendAdder 2.3.9.exe; Tuneup Ultilities 2010.exe;
      [antihack tool] Trojan Killer v2.9.4173.exe; Total Commander7
      license+keygen.exe; Super Utilities Pro 2009 11.0.exe; Sub7 2.5.1
      Private.exe; Sophos antivirus updater bypass.exe; sdbot with NetBIOS
      Spread.exe; [fixed]RapidShare Killer AIO 2010.exe; Rapidshare Auto
      Downloader 3.8.6.exe; Power ISO v4.4 + keygen milon.exe; [patched,
      serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe;
      [patched, serial not needed] PDF to Word Converter 3.4.exe; PDF
      password remover (works with all acrobat reader).exe; Password
      Cracker.exe; Norton Internet Security 2010 crack.exe; Norton
      Anti-Virus 2010 Enterprise Crack.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; NetBIOS Hacker.exe; NetBIOS Cracker.exe;
      [patched, serial not need] Nero 9.x keygen.exe; Myspace theme
      collection.exe; MSN Password Cracker.exe; Mp3 Splitter and Joiner Pro
      v3.48.exe; Motorola, nokia, ericsson mobil phone tools.exe;
      Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe; Microsoft
      Visual Studio KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Microsoft
      Visual Basic KeyGen.exe; McAfee Total Protection 2010 [serial patch by
      AnalGin].exe; Magic Video Converter 8.exe; LimeWire Pro v4.18.3
      [Cracked by AnalGin].exe; L0pht 4.0 Windows Password Cracker.exe;
      K-Lite Mega Codec v5.2 Portable.exe; K-Lite Mega Codec v5.2.exe;
      Keylogger unique builder.exe; Kaspersky Internet Security 2010
      keygen.exe; Kaspersky AntiVirus 2010 crack.exe; IP Nuker.exe; Internet
      Download Manager V5.exe; Image Size Reducer Pro v1.0.1.exe; ICQ Hacker
      Trial version [brute].exe; Hotmail Hacker [Brute method].exe; Hotmail
      Cracker [Brute method].exe; Half-Life 2 Downloader.exe; Grand Theft
      Auto IV [Offline Activation + mouse patch].exe; Google SketchUp 7.1
      Pro.exe; G-Force Platinum v3.7.6.exe; FTP Cracker.exe; DVD Tools Nero
      10.x.x.x.exe; Download Boost 2.0.exe; Download Accelerator Plus
      v9.2.exe; Divx Pro 7.x version Keymaker.exe; DivX 5.x Pro KeyGen
      generator.exe; DCOM Exploit archive.exe; Daemon Tools Pro 4.8.exe;
      Counter-Strike Serial key generator [Miona patch].exe; CleanMyPC
      Registry Cleaner v6.02.exe; Brutus FTP Cracker.exe; Blaze DVD Player
      Pro v6.52.exe; BitDefender AntiVirus 2010 Keygen.exe; Avast 5.x
      Professional.exe; Avast 4.x Professional.exe; Ashampoo Snap 3.xx
      [Skarleot Group].exe; AOL Password Cracker.exe; AOL Instant Messenger
      (AIM) Hacker.exe; AnyDVD HD v.6.3.1.8 Beta incl crack.exe; Anti-Porn
      v13.x.x.x.exe; Alcohol 120 v1.9.x.exe; Adobe Photoshop CS4 crack by
      M0N5KI Hack Group.exe; Adobe Illustrator CS4 crack.exe; Adobe Acrobat
      Reader keygen.exe; Ad-aware 2010.exe; [patched, serial not needed]
      Absolute Video Converter 6.2-7.exe


 Alte informatii  Cauta o conexiune Internet, contactand urmatorul website:
   • http://whatismyip.com/automation/n09230945.asp

 Tehnologie Rootkit  Ascunde urmatoarele:
– Propriul proces


Metoda folosita:
    • Ascuns de Windows API

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Friday, July 30, 2010
Description updated by Petre Galan on Tuesday, August 3, 2010

Back . . . .