Nume:TR/Agent.PK.40
Descoperit pe data de:20/10/2006
Tip:Troian
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:157.184 Bytes
MD5:45efb0ba59e951c998af6202eebfb385
Versiune VDF:6.36.00.109
Versiune IVDF:6.36.00.125 - miércoles 18 de octubre de 2006

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Trojan.Win32.Agent.pk


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Blocheaza accesul la website-uri ale firmelor de securitate
   • Modificari in registri
   • Posibilitatea accesului neautorizat la computer

 Registrii sistemului Valoarea urmatoarei chei este stearsa din registri:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "DCOM Server"=-



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2236}\
   InProcServer32]
   • @="%directorul de activare malware%\%fisier executat%"
   • "ThreadingModel"="Apartment"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   SharedTaskScheduler]
   • "{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad]
   • "DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"

 Fisiere host Fisierul

– In acest caz inregistrarile existente raman nemodificate.

– Accesul la urmatoarele domenii este blocat:
   • www.trendmicro.com; rads.mcafee.com; customer.symantec.com;
      liveupdate.symantec.com; us.mcafee.com; updates.symantec.com;
      www.nai.com; secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
      www.my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
      networkassociates.com; www.networkassociates.com; avp.com;
      www.kaspersky.com; www.avp.com; downloads4.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads1.kaspersky-labs.com; www.f-secure.com; viruslist.com;
      www.viruslist.com; liveupdate.symantecliveupdate.com; www.mcafee.com;
      sophos.com; www.sophos.com; securityresponse.symantec.com;
      www.symantec.com




Fisierul hosts modificat va arata astfel:


 Backdoor Servere contactate:
Urmatorul:
   • 208.66.195.**********:2236



Trimte informatii despre:
    • Statusul actual al malware-ului
    • Informatii despre sistemul de operare

 Alte informatii  Cauta o conexiune Internet, contactand urmatoarele site-uri web:
   • aol.com
   • verizon.net
   • ameritech.net
   • cox.net
   • rr.com
   • adelphia.net
   • comcast.net
   • optonline.net


Mutex:
Creeaza urmatorii mutecsi:
   • hs5p_av_mutex
   • hs5pdllv42236

 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).


Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
   • UPX

Descripción insertada por Monica Ghitun el lunes 23 de octubre de 2006
Descripción actualizada por Andrei Ivanes el jueves 9 de noviembre de 2006

Volver . . . .