Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:Worm/Ganelp.abu
Descoperit pe data de:22/09/2011
Tip:Vierme
ITW:Nu
Numar infectii raportate:Mediu
Potential de raspandire:Scazut
Potential de distrugere:Scazut
Fisier static:Nu
Versiune VDF:7.11.15.08 - joi, 22 septembrie 2011
Versiune IVDF:7.11.15.08 - joi, 22 septembrie 2011

 General Alias:
   •  TrendMicro: WORM_GANELP.SMIA
   •  Microsoft: Worm:Win32/Ganelp.gen!A
   •  Sunbelt: Worm.Win32.Ganelp.b
   •  Authentium: W32/Agent.KI.gen!Eldorado
   •  DrWeb: Trojan.Proxy.19660
   •  Norman: Worm W32/Ganelp.A


Sistem de operare:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Efecte secundare:
   • Posibilitatea accesului neautorizat la computer
   • Creeaza un fisier
   • Reduce setarile de securitate
   • Modificari in registri

 Fisiere Se copiaza in urmatoarea locatie:
   • %PROGRAM FILES%\846c0ca6\jusched.exe



Este creat fisierul:

%WINDIR%\Tasks\Update23.job Fisierul este o activitate programata care ruleaza malware-ul la ore predefinite.

 Registrii sistemului Valorile urmatoarelor chei sunt sterse din registrii sistemului:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%PROGRAM FILES%\J8"
   • "%PROGRAM FILES%\J9"
   • "%PROGRAM FILES%\J10"
   • "%PROGRAM FILES%\J11"
   • "%PROGRAM FILES%\J12"
   • "%PROGRAM FILES%\J13"
   • "%PROGRAM FILES%\J14"
   • "%PROGRAM FILES%\J15"
   • "%PROGRAM FILES%\J16"
   • "%PROGRAM FILES%\J17"
   • "%PROGRAM FILES%\J18"
   • "%PROGRAM FILES%\J19"
   • "%PROGRAM FILES%\J20"
   • "%PROGRAM FILES%\J21"

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%PROGRAM FILES%\J8"
   • "%PROGRAM FILES%\J9"
   • "%PROGRAM FILES%\J10"
   • "%PROGRAM FILES%\J11"
   • "%PROGRAM FILES%\J12"
   • "%PROGRAM FILES%\J13"
   • "%PROGRAM FILES%\J14"
   • "%PROGRAM FILES%\J15"
   • "%PROGRAM FILES%\J16"
   • "%PROGRAM FILES%\J17"
   • "%PROGRAM FILES%\J18"
   • "%PROGRAM FILES%\J19"
   • "%PROGRAM FILES%\J20"
   • "%PROGRAM FILES%\J21"



Creeaza urmatoarea valoare, pentru a trece de Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%PROGRAM FILES%\846c0ca6\jusched.exe"="%PROGRAM
      FILES%\846c0ca6\jusched.exe"



Urmatoarele chei din registri sunt modificate:

Reduce setarile de securitate din Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   ZoneMap]
   Noua valoare:
   • "ProxyByPass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

 Backdoor Servere contactate:
Unul dintre:
   • ftp://ftp.byethost12.com
   • ftp://griptoloji.host-ed.net
   • ftp://ftp.tripod.com

Astfel se pot transmite informatii si se poate obtine control la distanta.

Trimte informatii despre:
    • Informatii despre sistemul de operare

Description inserted by Andrei Ivanes on Tuesday, January 24, 2012
Description updated by Andrei Ivanes on Tuesday, January 24, 2012

Back . . . .