Descripción completa

Nume:	TR/Bagle.FU
Descoperit pe data de:	28/03/2006
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	18.436 Bytes
MD5:	a962a1c4e2808210666f07870Bf3daa7
Versiune VDF:	6.34.00.108

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Symantec: W32.Beagle.DZ
   • Kaspersky: Trojan-Proxy.Win32.Mitglieder.ea
   • TrendMicro: TROJ_MITGLIED.AK

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier malware
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarea locatie:
   • %APPDATA%\hidires\hidr.exe

Sterge urmatoarele fisiere:
   • a2guard.exe
   • aavshield.exe
   • AckWin32.exe
   • ADVCHK.EXE
   • AhnSD.exe
   • airdefense.exe
   • ALERTSVC.EXE
   • ALMon.exe
   • ALOGSERV.EXE
   • ALsvc.exe
   • amon.exe
   • Anti-Trojan.exe
   • AntiVirScheduler
   • AntiVirService
   • ANTS.EXE
   • APVXDWIN.EXE
   • Armor2net.exe
   • ashAvast.exe
   • ashDisp.exe
   • ashEnhcd.exe
   • ashMaiSv.exe
   • ashPopWz.exe
   • ashServ.exe
   • ashSimpl.exe
   • ashSkPck.exe
   • ashWebSv.exe
   • aswUpdSv.exe
   • ATCON.EXE
   • ATUPDATER.EXE
   • ATWATCH.EXE
   • AUPDATE.EXE
   • AUTODOWN.EXE
   • AUTOTRACE.EXE
   • AUTOUPDATE.EXE
   • avciman.exe
   • Avconsol.exe
   • AVENGINE.EXE
   • avgamsvr.exe
   • avgcc.exe
   • AVGCC32.EXE
   • AVGCTRL.EXE
   • avgemc.exe
   • avgfwsrv.exe
   • AVGNT.EXE
   • avgntdd
   • avgntmgr
   • AVGSERV.EXE
   • AVGUARD.EXE
   • avgupsvc.exe
   • avinitnt.exe
   • AvkServ.exe
   • AVKService.exe
   • AVKWCtl.exe
   • AVP.EXE
   • AVP32.EXE
   • avpcc.exe
   • avpm.exe
   • AVPUPD.EXE
   • AVSCHED32.EXE
   • avsynmgr.exe
   • AVWUPD32.EXE
   • AVWUPSRV.EXE
   • AVXMONITOR9X.EXE
   • AVXMONITORNT.EXE
   • AVXQUAR.EXE
   • BackWeb-4476822.exe
   • bdmcon.exe
   • bdnews.exe
   • bdoesrv.exe
   • bdss.exe
   • bdsubmit.exe
   • bdswitch.exe
   • blackd.exe
   • blackice.exe
   • cafix.exe
   • ccApp.exe
   • ccEvtMgr.exe
   • ccProxy.exe
   • ccSetMgr.exe
   • CFIAUDIT.EXE
   • ClamTray.exe
   • ClamWin.exe
   • Claw95.exe
   • Claw95cf.exe
   • cleaner.exe
   • cleaner3.exe
   • CliSvc.exe
   • CMGrdian.exe
   • cpd.exe
   • DefWatch.exe
   • DOORS.EXE
   • DrVirus.exe
   • drwadins.exe
   • drweb32w.exe
   • drwebscd.exe
   • DRWEBUPW.EXE
   • ESCANH95.EXE
   • ESCANHNT.EXE
   • ewidoctrl.exe
   • EzAntivirusRegistrationCheck.exe
   • F-AGNT95.EXE
   • F-PROT95.EXE
   • F-Sched.exe
   • F-StopW.EXE
   • FAMEH32.EXE
   • FAST.EXE
   • FCH32.EXE
   • FireSvc.exe
   • FireTray.exe
   • FIREWALL.EXE
   • fpavupdm.exe
   • freshclam.exe
   • FRW.EXE
   • fsav32.exe
   • fsavgui.exe
   • fsbwsys.exe
   • fsdfwd.exe
   • FSGK32.EXE
   • fsgk32st.exe
   • fsguiexe.exe
   • FSM32.EXE
   • FSMA32.EXE
   • FSMB32.EXE
   • fspex.exe
   • fssm32.exe
   • gcasDtServ.exe
   • gcasServ.exe
   • GIANTAntiSpywareMain.exe
   • GIANTAntiSpywareUpdater.exe
   • GUARD.EXE
   • GUARDGUI.EXE
   • GuardNT.exe
   • HRegMon.exe
   • Hrres.exe
   • HSockPE.exe
   • HUpdate.EXE
   • iamapp.exe
   • iamserv.exe
   • ICLOAD95.EXE
   • ICLOADNT.EXE
   • ICMON.EXE
   • ICSSUPPNT.EXE
   • ICSUPP95.EXE
   • ICSUPPNT.EXE
   • IFACE.EXE
   • INETUPD.EXE
   • InocIT.exe
   • InoRpc.exe
   • InoRT.exe
   • InoTask.exe
   • InoUpTNG.exe
   • IOMON98.EXE
   • isafe.exe
   • ISATRAY.EXE
   • ISRV95.EXE
   • ISSVC.exe
   • JEDI.EXE
   • KAV.exe
   • kavmm.exe
   • KAVPF.exe
   • KavPFW.exe
   • KAVStart.exe
   • KAVSvc.exe
   • KAVSvcUI.EXE
   • KMailMon.EXE
   • KPfwSvc.EXE
   • KWatch.EXE
   • livesrv.exe
   • LOCKDOWN2000.EXE
   • LogWatNT.exe
   • lpfw.exe
   • LUALL.EXE
   • LUCOMSERVER.EXE
   • Luupdate.exe
   • MCAGENT.EXE
   • mcmnhdlr.exe
   • mcregwiz.exe
   • Mcshield.exe
   • MCUPDATE.EXE
   • mcvsshld.exe
   • MINILOG.EXE
   • MONITOR.EXE
   • MonSysNT.exe
   • MOOLIVE.EXE
   • MpEng.exe
   • mpssvc.exe
   • MSMPSVC.exe
   • myAgtSvc.exe
   • myagttry.exe
   • navapsvc.exe
   • NAVAPW32.EXE
   • NavLu32.exe
   • NAVW32.EXE
   • NDD32.EXE
   • NeoWatchLog.exe
   • NeoWatchTray.exe
   • NISSERV
   • NISUM.EXE
   • NMAIN.EXE
   • nod32.exe
   • nod32krn.exe
   • nod32kui.exe
   • NORMIST.EXE
   • notstart.exe
   • npavtray.exe
   • NPFMNTOR.EXE
   • npfmsg.exe
   • NPROTECT.EXE
   • NSCHED32.EXE
   • NSMdtr.exe
   • NssServ.exe
   • NssTray.exe
   • ntrtscan.exe
   • NTXconfig.exe
   • NUPGRADE.EXE
   • NVC95.EXE
   • Nvcod.exe
   • Nvcte.exe
   • Nvcut.exe
   • NWService.exe
   • OfcPfwSvc.exe
   • OUTPOST.EXE
   • PAV.EXE
   • PavFires.exe
   • PavFnSvr.exe
   • Pavkre.exe
   • PavProt.exe
   • pavProxy.exe
   • pavprsrv.exe
   • pavsrv51.exe
   • PAVSS.EXE
   • pccguide.exe
   • PCCIOMON.EXE
   • pccntmon.exe
   • PCCPFW.exe
   • PcCtlCom.exe
   • PCTAV.exe
   • PERSFW.EXE
   • pertsk.exe
   • PERVAC.EXE
   • PNMSRV.EXE
   • POP3TRAP.EXE
   • POPROXY.EXE
   • prevsrv.exe
   • PsImSvc.exe
   • QHM32.EXE
   • QHONLINE.EXE
   • QHONSVC.EXE
   • QHPF.EXE
   • qhwscsvc.exe
   • RavMon.exe
   • RavTimer.exe
   • Realmon.exe
   • REALMON95.EXE
   • Rescue.exe
   • rfwmain.exe
   • Rtvscan.exe
   • RTVSCN95.EXE
   • RuLaunch.exe
   • SAVAdminService.exe
   • SAVMain.exe
   • savprogress.exe
   • SAVScan.exe
   • SCAN32.EXE
   • ScanningProcess.exe
   • sched.exe
   • sdhelp.exe
   • SERVIC~1.EXE
   • SHSTAT.EXE
   • SiteCli.exe
   • smc.exe
   • SNDSrvc.exe
   • SPBBCSvc.exe
   • SPHINX.EXE
   • spiderml.exe
   • spidernt.exe
   • Spiderui.exe
   • SpybotSD.exe
   • SPYXX.EXE
   • SS3EDIT.EXE
   • stopsignav.exe
   • swAgent.exe
   • swdoctor.exe
   • SWNETSUP.EXE
   • symlcsvc.exe
   • SymProxySvc.exe
   • SymSPort.exe
   • SymWSC.exe
   • SYNMGR.EXE
   • TAUMON.EXE
   • TBMon.exe
   • TC.EXE
   • tca.exe
   • TCM.EXE
   • TDS-3.EXE
   • TeaTimer.exe
   • TFAK.EXE
   • THAV.EXE
   • THSM.EXE
   • Tmas.exe
   • tmlisten.exe
   • Tmntsrv.exe
   • TmPfw.exe
   • tmproxy.exe
   • TNBUtil.exe
   • TRJSCAN.EXE
   • Up2Date.exe
   • UPDATE.EXE
   • UpdaterUI.exe
   • upgrepl.exe
   • Vba32ECM.exe
   • Vba32ifs.exe
   • vba32ldr.exe
   • Vba32PP3.exe
   • VBSNTW.exe
   • vchk.exe
   • vcrmon.exe
   • VetTray.exe
   • VirusKeeper.exe
   • VPTRAY.EXE
   • vrfwsvc.exe
   • VRMONNT.EXE
   • vrmonsvc.exe
   • vrrw32.exe
   • VSECOMR.EXE
   • Vshwin32.exe
   • vsmon.exe
   • vsserv.exe
   • VsStat.exe
   • WATCHDOG.EXE
   • WebProxy.exe
   • Webscanx.exe
   • WEBTRAP.EXE
   • WGFE95.EXE
   • Winaw32.exe
   • winroute.exe
   • winss.exe
   • winssnotify.exe
   • WRADMIN.EXE
   • WRCTRL.EXE
   • xcommsvr.exe
   • zatutor.exe
   • ZAUINST.EXE
   • zlclient.exe
   • zonealarm.exe
   • _AVP32.EXE
   • _AVPCC.EXE
   • _AVPM.EXE

Este creat fisierul:

– %APPDATA%\hidires\m_hook.sys Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Proxy.Mitglieder.EA

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • drvsyskit = %APPDATA%\hidires\hidr.exe

Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook]
   • Type = dword:00000001
   • Start = dword:00000003
   • ErrorControl = dword:00000000
   • ImagePath = \??\%APPDATA%\hidires\m_hook.sys
   • DisplayName = Empty

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Security]
   • Security = %valori hex%

– [HKLM\SYSTEM\CurrentControlSet\Services\m_hook\Enum]
   • 0 = Root\\LEGACY_M_HOOK\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000]
   • Service = m_hook
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = Empty

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\0000\
   Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = m_hook

Terminarea proceselor Lista cu procesele oprite:
   • a2guard.exe; aavshield.exe; AckWin32.exe; ADVCHK.EXE; AhnSD.exe;
      airdefense.exe; ALERTSVC.EXE; ALMon.exe; ALOGSERV.EXE; ALsvc.exe;
      amon.exe; Anti-Trojan.exe; AntiVirScheduler; AntiVirService; ANTS.EXE;
      APVXDWIN.EXE; Armor2net.exe; ashAvast.exe; ashDisp.exe; ashEnhcd.exe;
      ashMaiSv.exe; ashPopWz.exe; ashServ.exe; ashSimpl.exe; ashSkPck.exe;
      ashWebSv.exe; aswUpdSv.exe; ATCON.EXE; ATUPDATER.EXE; ATWATCH.EXE;
      AUPDATE.EXE; AUTODOWN.EXE; AUTOTRACE.EXE; AUTOUPDATE.EXE; avciman.exe;
      Avconsol.exe; AVENGINE.EXE; avgamsvr.exe; avgcc.exe; AVGCC32.EXE;
      AVGCTRL.EXE; avgemc.exe; avgfwsrv.exe; AVGNT.EXE; avgntdd; avgntmgr;
      AVGSERV.EXE; AVGUARD.EXE; avgupsvc.exe; avinitnt.exe; AvkServ.exe;
      AVKService.exe; AVKWCtl.exe; AVP.EXE; AVP32.EXE; avpcc.exe; avpm.exe;
      AVPUPD.EXE; AVSCHED32.EXE; avsynmgr.exe; AVWUPD32.EXE; AVWUPSRV.EXE;
      AVXMONITOR9X.EXE; AVXMONITORNT.EXE; AVXQUAR.EXE; BackWeb-4476822.exe;
      bdmcon.exe; bdnews.exe; bdoesrv.exe; bdss.exe; bdsubmit.exe;
      bdswitch.exe; blackd.exe; blackice.exe; cafix.exe; ccApp.exe;
      ccEvtMgr.exe; ccProxy.exe; ccSetMgr.exe; CFIAUDIT.EXE; ClamTray.exe;
      ClamWin.exe; Claw95.exe; Claw95cf.exe; cleaner.exe; cleaner3.exe;
      CliSvc.exe; CMGrdian.exe; cpd.exe; DefWatch.exe; DOORS.EXE;
      DrVirus.exe; drwadins.exe; drweb32w.exe; drwebscd.exe; DRWEBUPW.EXE;
      ESCANH95.EXE; ESCANHNT.EXE; ewidoctrl.exe;
      EzAntivirusRegistrationCheck.exe; F-AGNT95.EXE; F-PROT95.EXE;
      F-Sched.exe; F-StopW.EXE; FAMEH32.EXE; FAST.EXE; FCH32.EXE;
      FireSvc.exe; FireTray.exe; FIREWALL.EXE; fpavupdm.exe; freshclam.exe;
      FRW.EXE; fsav32.exe; fsavgui.exe; fsbwsys.exe; fsdfwd.exe; FSGK32.EXE;
      fsgk32st.exe; fsguiexe.exe; FSM32.EXE; FSMA32.EXE; FSMB32.EXE;
      fspex.exe; fssm32.exe; gcasDtServ.exe; gcasServ.exe;
      GIANTAntiSpywareMain.exe; GIANTAntiSpywareUpdater.exe; GUARD.EXE;
      GUARDGUI.EXE; GuardNT.exe; HRegMon.exe; Hrres.exe; HSockPE.exe;
      HUpdate.EXE; iamapp.exe; iamserv.exe; ICLOAD95.EXE; ICLOADNT.EXE;
      ICMON.EXE; ICSSUPPNT.EXE; ICSUPP95.EXE; ICSUPPNT.EXE; IFACE.EXE;
      INETUPD.EXE; InocIT.exe; InoRpc.exe; InoRT.exe; InoTask.exe;
      InoUpTNG.exe; IOMON98.EXE; isafe.exe; ISATRAY.EXE; ISRV95.EXE;
      ISSVC.exe; JEDI.EXE; KAV.exe; kavmm.exe; KAVPF.exe; KavPFW.exe;
      KAVStart.exe; KAVSvc.exe; KAVSvcUI.EXE; KMailMon.EXE; KPfwSvc.EXE;
      KWatch.EXE; livesrv.exe; LOCKDOWN2000.EXE; LogWatNT.exe; lpfw.exe;
      LUALL.EXE; LUCOMSERVER.EXE; Luupdate.exe; MCAGENT.EXE; mcmnhdlr.exe;
      mcregwiz.exe; Mcshield.exe; MCUPDATE.EXE; mcvsshld.exe; MINILOG.EXE;
      MONITOR.EXE; MonSysNT.exe; MOOLIVE.EXE; MpEng.exe; mpssvc.exe;
      MSMPSVC.exe; myAgtSvc.exe; myagttry.exe; navapsvc.exe; NAVAPW32.EXE;
      NavLu32.exe; NAVW32.EXE; NDD32.EXE; NeoWatchLog.exe; NeoWatchTray.exe;
      NISSERV; NISUM.EXE; NMAIN.EXE; nod32.exe; nod32krn.exe; nod32kui.exe;
      NORMIST.EXE; notstart.exe; npavtray.exe; NPFMNTOR.EXE; npfmsg.exe;
      NPROTECT.EXE; NSCHED32.EXE; NSMdtr.exe; NssServ.exe; NssTray.exe;
      ntrtscan.exe; NTXconfig.exe; NUPGRADE.EXE; NVC95.EXE; Nvcod.exe;
      Nvcte.exe; Nvcut.exe; NWService.exe; OfcPfwSvc.exe; OUTPOST.EXE;
      PAV.EXE; PavFires.exe; PavFnSvr.exe; Pavkre.exe; PavProt.exe;
      pavProxy.exe; pavprsrv.exe; pavsrv51.exe; PAVSS.EXE; pccguide.exe;
      PCCIOMON.EXE; pccntmon.exe; PCCPFW.exe; PcCtlCom.exe; PCTAV.exe;
      PERSFW.EXE; pertsk.exe; PERVAC.EXE; PNMSRV.EXE; POP3TRAP.EXE;
      POPROXY.EXE; prevsrv.exe; PsImSvc.exe; QHM32.EXE; QHONLINE.EXE;
      QHONSVC.EXE; QHPF.EXE; qhwscsvc.exe; RavMon.exe; RavTimer.exe;
      Realmon.exe; REALMON95.EXE; Rescue.exe; rfwmain.exe; Rtvscan.exe;
      RTVSCN95.EXE; RuLaunch.exe; SAVAdminService.exe; SAVMain.exe;
      savprogress.exe; SAVScan.exe; SCAN32.EXE; ScanningProcess.exe;
      sched.exe; sdhelp.exe; SERVIC~1.EXE; SHSTAT.EXE; SiteCli.exe; smc.exe;
      SNDSrvc.exe; SPBBCSvc.exe; SPHINX.EXE; spiderml.exe; spidernt.exe;
      Spiderui.exe; SpybotSD.exe; SPYXX.EXE; SS3EDIT.EXE; stopsignav.exe;
      swAgent.exe; swdoctor.exe; SWNETSUP.EXE; symlcsvc.exe;
      SymProxySvc.exe; SymSPort.exe; SymWSC.exe; SYNMGR.EXE; TAUMON.EXE;
      TBMon.exe; TC.EXE; tca.exe; TCM.EXE; TDS-3.EXE; TeaTimer.exe;
      TFAK.EXE; THAV.EXE; THSM.EXE; Tmas.exe; tmlisten.exe; Tmntsrv.exe;
      TmPfw.exe; tmproxy.exe; TNBUtil.exe; TRJSCAN.EXE; Up2Date.exe;
      UPDATE.EXE; UpdaterUI.exe; upgrepl.exe; Vba32ECM.exe; Vba32ifs.exe;
      vba32ldr.exe; Vba32PP3.exe; VBSNTW.exe; vchk.exe; vcrmon.exe;
      VetTray.exe; VirusKeeper.exe; VPTRAY.EXE; vrfwsvc.exe; VRMONNT.EXE;
      vrmonsvc.exe; vrrw32.exe; VSECOMR.EXE; Vshwin32.exe; vsmon.exe;
      vsserv.exe; VsStat.exe; WATCHDOG.EXE; WebProxy.exe; Webscanx.exe;
      WEBTRAP.EXE; WGFE95.EXE; Winaw32.exe; winroute.exe; winss.exe;
      winssnotify.exe; WRADMIN.EXE; WRCTRL.EXE; xcommsvr.exe; zatutor.exe;
      ZAUINST.EXE; zlclient.exe; zonealarm.exe; _AVP32.EXE; _AVPCC.EXE;
      _AVPM.EXE

Lista cu serviciile dezactivate:
   • Aavmker4; ABVPN2K; ADBLOCK.DLL; ADFirewall; AFWMCL; Ahnlab task
      Scheduler; alerter; AlertManger; AntiVir Service; AntiyFirewall;
      ARP.DLL; aswMon2; aswRdr; aswTdi; aswUpdSv; Ati HotKey Poller; avast!
      Antivirus; avast! Mail Scanner; avast! Web Scanner; AVEService;
      AVExch32Service; AvFlt; Avg7Alrt; Avg7Core; Avg7RsW; Avg7RsXP;
      Avg7UpdSvc; AvgCore; AvgFsh; AVGFwSrv; AvgFwSvr; AvgServ; AvgTdi;
      AVIRAMailService; AVIRAService; avpcc; AVUPDService; AVWUpSrv; AvxIni;
      awhost32; backweb client - 4476822; BackWeb Client - 7681197; backweb
      client-4476822; Bdfndisf; bdftdif; bdss; BlackICE; BsFileSpy;
      BsFirewall; BsMailProxy; CAISafe; ccEvtMgr; ccPwdSvc; ccSetMgr;
      ccSetMgr.exe; CONTENT.DLL; DefWatch; DNSCACHE.DLL; drwebnet; dvpapi;
      dvpinit; ewido security suite control; ewido security suite driver;
      ewido security suite guard; F-Prot Antivirus Update Monitor; F-Secure
      Gatekeeper Handler Starter; firewall; fsbwsys; FSDFWD; FSFW; FSMA;
      FTPFILT.DLL; FwcAgent; fwdrv; Guard NT; HSnSFW; HSnSPro; HTMLFILT.DLL;
      HTTPFILT.DLL; IMAPFILT.DLL; InoRPC; InoRT; InoTask; Ip6Fw; Ip6FwHlp;
      KAVMonitorService; KAVSvc; KLBLMain; KPfwSvc; KWatch3; KWatchSvc;
      MAILFILT.DLL; McAfee Firewall; McAfeeFramework; McShield;
      McTaskManager; mcupdmgr.exe; MCVSRte; Microsoft NetWork FireWall
      Services; MonSvcNT; MpfService; navapsvc; Ndisuio; NDIS_RD; Network
      Associates Log Service; nipsvc; NISSERV; NISUM; NNTPFILT.DLL;
      NOD32ControlCenter; NOD32krn; NOD32Service; Norman NJeeves; Norman
      Type-R; Norman ZANDA; Norton AntiVirus Server; NPDriver; NPFMntor;
      NProtectService; NSCTOP; nvcoas; NVCScheduler; nwclntc; nwclntd;
      nwclnte; nwclntf; nwclntg; nwclnth; NWService; OfcPfwSvc; Outbreak
      Manager; Outpost Firewall; OutpostFirewall; PASSRV; PAVAGENTE;
      PavAtScheduler; PAVDRV; PAVFIRES; PAVFNSVR; Pavkre; PavProc; PavProt;
      PavPrSrv; PavReport; PAVSRV; PCCPFW; PCC_PFW; PersFW; Personal
      Firewall; POP3FILT.DLL; PREVSRV; PROTECT.DLL; PSIMSVC; qhwscsvc; Quick
      Heal Online Protection; ravmon8; RfwService; SAVFMSE; SAVScan;
      SBService; schscnt; SECRET.DLL; SharedAccess; SmcService; SNDSrvc;
      SPBBCSvc; SpiderNT; SweepNet; SWEEPSRV.SYS; Symantec AntiVirus Client;
      Symantec Core LC; The_Hacker_Antivirus; Tmntsrv; TmPfw; tmproxy;
      tmtdi; tm_cfw; T_H_S_M; V3MonNT; V3MonSvc; Vba32ECM; Vba32ifs;
      Vba32Ldr; Vba32PP3; VBCompManService; VexiraAntivirus; VFILT; VisNetic
      AntiVirus Plug-in; vrfwsvc; vsmon; VSSERV; WinAntivirus; WinRoute;
      wuauserv; xcomm

Tehnologie Rootkit Este o tehnologie specifica malware. Acesta se ascunde de programele sistemului, de aplicatiile de securitate si in cele din urma, de utilizator.

Ascunde urmatoarele:
– Propriile fisiere
– Propriul proces
– Propria cheie de registru

– Urmatoarele fisiere:
   • filesnames001.exe
   • filesnames002.exe
   • filesnames003.exe
   • filesnames004.exe
   • filesnames005.exe
   • filesnames006.exe

– Urmatoarele procese:
   • filesnamec001.exe
   • filesnamec002.exe
   • filesnamec003.exe
   • filesnamec004.exe
   • filesnamec005.exe
   • filesnamec006.exe

– Urmatoarele chei de registru:
   • nkeyjej1
   • nkeyjej2

– Urmatoarele intrari in registru:
   • key000s01
   • key000s02
   • key000s03
   • key000s04
   • key000s05

Metoda folosita:
    • Ascuns de Windows API

Se ataseaza la urmatoarele functii API:
   • NtCreateFile/ZwCreateFile
   • NtEnumerateKey/ZwEnumerateKey
   • NtEnumerateValueKey/ZwEnumerateValueKey
   • NtQueryDirectoryFile/ZwQueryDirectoryFile
   • NtQueryKey/ZwQueryKey
   • NtQuerySystemInformation/ZwQuerySystemInformation
   • NtQueryValueKey/ZwQueryValueKey

Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descripción insertada por Andrei Gherman el miércoles 29 de marzo de 2006
Descripción actualizada por Andrei Gherman el jueves 30 de marzo de 2006

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas