¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Alias:TrojanSpy.Win32.Agent.bc, Trojan.Tannick, Troj/Bizex-H
Type:Trojan 
Size:15.360 Bytes (EXE), 102.400 By 
Origin:unknown 
Date:10-21-2004 
Damage:It spies the surfing actions of the user. 
VDF Version:6.28.00.30 
Danger:Low 
Distribution:Low 

General DescriptionAffected Operating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

Technical DetailsTR/Spy.Bizex.H is a Trojan that sends information about the websites visited by the user to a certain FTP site.
When the Trojan is activated, it creates a 0 Byte file in Windows System directory. It copies itself into:
%SystemDIR%\X3YY\<%8 random characters%>.exe
and it makes the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Explorer\Shell Folders\AppData\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"x3yy"="%SystemDIR%\X3YY\<%8 zufällige Buchstaben%>.exe"

The Trojan changes the start page of Internet Explorer into "about:blank" and it terminates the following processes:
ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2
NVSVC32.EXE
NPROTECT.EXE
SAVSCAN.EXE
ARMOR2NET.EXE
000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
F-STOPW.EXE
FRW.EXE
FP-WIN.EXE
F-PROT95.EXE
F-PROT.EXE
FPROT.EXE
FINDVIRU.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE


The Trojan is able to:
- download files from two different URLs;
- build a connection with an FTP site and then send the stolen information to it.

TR/Spy.Bizex.H loads the file %SystemDIR%\unic_32.dll from the Internet. This DLL is able to store the URLs of the sites visited by the user into a file named _post.log. This file will then be uploaded by the Trojan on a certain FTP site.
Descripción insertada por Crony Walker el martes, 15 de junio de 2004

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.