Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:TR/EyeStye.N.208
Descoperit pe data de:21/06/2011
Tip:Troian
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:524.288 Bytes
MD5:2ff71e989e3154357a2acf20e73785ae
Versiune VDF:7.11.10.61 - marți, 21 iunie 2011
Versiune IVDF:7.11.10.61 - marți, 21 iunie 2011

 General Alias:
   •  Kaspersky: Trojan-Spy.Win32.SpyEyes.gww
   •  Bitdefender: Trojan.Generic.KD.205834
     GData: Trojan.Generic.KD.205834
     DrWeb: Trojan.PWS.SpySweep.46


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere malware
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • C:\alimento\alimento.exe

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "alimento.exe"="C:\alimento\alimento.exe"



Se adauga in registrii sistemului:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   • "1409"=dword:0x00000003



Urmatoarele chei din registri sunt modificate:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Noua valoare:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Noua valoare:
   • "1406"=dword:0x00000000
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Noua valoare:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\4]
   Noua valoare:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\1]
   Noua valoare:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\2]
   Noua valoare:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\3]
   Noua valoare:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Noua valoare:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Noua valoare:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

 Backdoor Servere contactate:
Urmatorul:
   • cry**********.ru:555 (TCP)


 Injectarea codului malware in alte procese Se injecteaza ca un thread remote intr-un proces.

    Numele procesului:
   • explorer.exe


 Alte informatii  Cauta o conexiune Internet, contactand urmatorul website:
   • http://www.microsoft.com
Acceseaza resurse de pe internet:
   • http://cryingfreemen.ru/mus/**********

 Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description inserted by Petre Galan on Tuesday, July 12, 2011
Description updated by Petre Galan on Tuesday, July 12, 2011

Back . . . .