Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Pinit.RB
Descoperit pe data de:01/08/2010
Tip:Vierme
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:176.128 Bytes
MD5:f4858e44266d0729645240f66cb9e656
Versiune VDF:7.10.04.83
Versiune IVDF:7.10.10.26 - duminică, 1 august 2010

 General Alias:
   •  Sophos: Mal/Katusha-A
   •  Bitdefender: Trojan.FakeAlert.CFQ
   •  Panda: W32/Pinit.M.worm
   •  Eset: Win32/Pinit.AF


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\cooper.mine



Sterge urmatoarele fisiere:
   • %SYSDIR%\user32.dll
   • %SYSDIR%\%combinatie de caractere aleatoare%



Sunt create fisierele:

%SYSDIR%\dllcache\user32.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Patched.Gen2

%SYSDIR%\h7t.wt
%SYSDIR%\hgtd.ruy
%SYSDIR%\%combinatie de caractere aleatoare% Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Patched.Gen2

%SYSDIR%\nmklo.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Pinit.MT

%SYSDIR%\ff4h.gy



Incearca se execute urmatorul fisier:

Numele fisierului:
   • "%SYSDIR%\Wbem\wmic.exe" path win32_terminalservicesetting where (__Class!="") call setallowtsconnections 1

 Registrii sistemului Urmatoarele chei sunt adaugate in registrii sistemului:

[HKLM\SOFTWARE\3]
   • "31897356954C2CD3D41B221E3F24F99BBA"=dword:0x03f940aa
   • "31AC70412E939D72A9234CDEBB1AF5867B"="nqrckqqlqdrqrirprhqoqrqdopoinfnhmjmqrjrjlmmdmqrpmeqhmnng"
   • "31C2E1E4D78E6A11B88DFA803456A1FFA5"=dword:0x00000000

[HKLM\SOFTWARE\1]
   • "31897356954C2CD3D41B221E3F24F99BBA"=dword:0x03f940aa
   • "31AC70412E939D72A9234CDEBB1AF5867B"="efipdhioiijnjpjcjmidigiggmgfgkgkhkhfcojedpemjgfcinfdff"
   • "31C2E1E4D78E6A11B88DFA803456A1FFA5"=dword:0x00000000

[HKLM\SOFTWARE\9]
   • "31897356954C2CD3D41B221E3F24F99BBA"=dword:0x03f940aa
   • "31AC70412E939D72A9234CDEBB1AF5867B"="kgomncpjpnogoconproiodorqjqoqhqfrprgmlmlocrhrlqnogkrpcpipp"
   • "31C2E1E4D78E6A11B88DFA803456A1FFA5"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   • "MID"="72C556A22C0B4086A2F19C5D1A919D184650EC06AF8B4F20AC8273DBD9A08067"

[HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\
   Licensing Core]
   • "EnableConcurrentSessions"=dword:0x00000001

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   • "Appioot_Dlls"="nmklo"



Urmatoarea cheie din registri este modificata:

[HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server]
   Noua valoare:
   • "fDenyTSConnections"=dword:0x00000000

 Alte informatii Acceseaza resurse de pe internet:
   • http://silajopa.com/tpsa/gate/**********
   • http://perejopa.com/tpsa/gate/**********
   • http://nedojopa.com/tpsa/gate/**********
   • http://silajopa.com/tpsa/gate/**********

 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Tuesday, February 1, 2011
Description updated by Andrei Ivanes on Thursday, February 3, 2011

Back . . . .