Full description

Nombre:	BDS/IRCBot.AQ
Descubierto:	30/11/2011
Tipo:	Servidor Backdoor
En circulación (ITW):	No
Número de infecciones comunicadas:	Bajo
Potencial de propagación:	Bajo
Potencial dañino:	Medio
Tamaño:	422912 Bytes
Suma de control MD5:	f4888616ec030455b529304453e190a6
Versión del VDF:	7.11.18.139 - miércoles, 30 de noviembre de 2011
Versión del IVDF:	7.11.18.139 - miércoles, 30 de noviembre de 2011

General Método de propagación:
   • No tiene rutina propia de propagación

Alias:
   • Kaspersky: Trojan-Spy.MSIL.Agent.fof
   • Bitdefender: Trojan.Generic.5717619
   • Microsoft: VirTool:MSIL/Injector.P
   • Grisoft: PSW.Generic8.CBQC
   • Eset: probably a variant of MSIL/Injector.CF trojan
   • GData: Trojan.Generic.5717619
   • Norman: Trojan W32/Suspicious_Gen2.LKWMX

Plataformas / Sistemas operativos:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Efectos secundarios:
   • Se puede utilizar para modificar la configuración del sistema que permite o aumenta el comportamiento del malware potencial.
   • Suelta ficheros
   • Modificaciones en el registro
   • Roba informaciones

Ficheros Se copia a sí mismo en las siguientes ubicaciones:
   • %TEMPDIR%\%12 digit random character string%.exe
   • %APPDATA%\%12 digit random character string%.exe
   • %WINDIR%\install\winup32.exe

Elimina la copia inicial del virus.

Elimina los siguientes ficheros:
   • %TEMPDIR%\%nombre del ordenador%.txt
   • %TEMPDIR%\%nombre del ordenador%7
   • %TEMPDIR%\%nombre del ordenador%8

Crea los siguientes ficheros:

– Fichero no malicioso:
   • %APPDATA%\%nombre del ordenador%log.dat

– %TEMPDIR%\delete.bat Además, el fichero es ejecutado después de haber sido creado. Este fichero batch es empleado para eliminar un fichero.

Registro Añade uno de los siguientes valores a cada clave del registro, para ejecutar los procesos al reiniciar el sistema:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Audio HD Driver"="%TEMPDIR%\\%12 digit random character string%.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Audio HD Driver"="%TEMPDIR%\\%12 digit random character string%.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HKLM"="c:\windows\\install\\winup32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "HKCU"="c:\windows\\install\\winup32.exe"

Añade las siguientes claves del registro para ejecutar los servicios al iniciar el sistema:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aifc\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aiff\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .au\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .bmp\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .css\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dib\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .doc\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dvr-ms\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .gif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .ico\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .IVF\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jfif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpe\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpeg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m3u\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mid\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .midi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2v\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp3\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpa\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpeg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpg\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpv2\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .png\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rtf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .snd\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tif\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tiff\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .txt\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wav\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wax\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wm\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmf\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmv\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wpl\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wvx\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xsl\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   • (null)

Añade las siguientes claves al registro:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {04P34X25-047M-8IOY-5N0F-0UD5J4UX071D}]
   • "StubPath"="c:\windows\\install\\winup32.exe Restart"

– [HKCU\Software\pwNd b1tch]
   • "FirstExecution"="29/02/2012 -- 10:15"
   • "NewIdentification"="pwNd b1tch"
   • (null)

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {04P34X25-047M-8IOY-5N0F-0UD5J4UX071D}]
   • "StubPath"="c:\windows\\install\\winup32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .eml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mht\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mhtml\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .nws\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .URL\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wdp\OpenWithProgids]
   • (null)

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmp\OpenWithProgids]
   • (null)

Modifica la siguiente clave del registro:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Valor anterior:
   • "Hidden"=dword:00000001
   Nuevo valor:
   • "Hidden"=dword:00000002

Backdoor (Puerta trasera) Servidor contactado:
El siguiente:
   • **********.zapto.org

Envía informaciones acerca de:
    • Contraseñas guardadas
    • Las informaciones recolectadas, descritas en la sección

Informaciones diversas Controlador de eventos:
Crea los siguientes controladores de eventos:
   • ReadProcessMemory
   • WriteProcessMemory
   • SetWindowsHook
   • CreateRemoteThread
   • CopyFile
   • CreateProcess
   • CreateFile
   • GetWindowsDirectory
   • GetSystemDirectory
   • LsaRetrievePrivateData
   • RasDefaultCredentials
   • LookupAccountName
   • CredEnumerate
   • CryptUnprotectData
   • PStoreCreateInstance

Serie de caracteres:
Además, incluye las siguientes series de caracteres:
   • pstorec.dll
   • WindowsLive:name
   • rasphone.pbk

Description inserted by Wensin Lee on Monday, April 2, 2012
Description updated by Wensin Lee on Monday, April 2, 2012

Back . . . .

Need to fix your PC?

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools