Descripción completa

Nombre:	TR/Buzus.cbhh
Descubierto:	28/09/2009
Tipo:	Troyano
En circulación (ITW):	Sí
Número de infecciones comunicadas:	Medio-bajo
Potencial de propagación:	Medio-bajo
Potencial dañino:	Medio
Fichero estático:	Sí
Tamaño:	79.360 Bytes
Suma de control MD5:	ae682a0040bc668b7c09ede8cc438d1a
Versión del IVDF:	7.01.06.44 - lunes 28 de septiembre de 2009

General Método de propagación:
   • Autorun feature (es)

Alias:
   • Panda: W32/Slenfbot.AH
   • Eset: Win32/AutoRun.Qhost.M
   • Bitdefender: Worm.Generic.90114

Plataformas / Sistemas operativos:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efectos secundarios:
   • Bloquea el acceso a ciertos sitios web
   • Bloquea el acceso a portales de seguridad
   • Suelta ficheros dañinos
   • Reduce las opciones de seguridad
   • Modificaciones en el registro
   • Posibilita el acceso no autorizado al ordenador

Ficheros Se copia a sí mismo en las siguientes ubicaciones:
   • %SYSDIR%\avgvdm.exe
   • \CACHE-49450483\file.sys

Sobrescribe un fichero.
– %SYSDIR%\drivers\etc\hosts

Crea los siguientes ficheros:

– \autorun.inf Este es un fichero de texto que no presenta riesgo alguno e incluye el siguiente contenido:
   •

– \CACHE-49450483\Desktop.ini

Registro Añade uno de los siguientes valores en el registro, para ejecutar los procesos al reiniciar el sistema:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"

Elimina las siguientes claves del registro, incluyendo todos sus valores y subclaves:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

Añade las siguientes claves al registro:

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="avgvdm.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\avgvdm.exe"="DisableNXShowUI"

Modifica las siguientes claves del registro:

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8wd]
   Nuevo valor:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Nuevo valor:
   • "Start"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Nuevo valor:
   • "Hidden"=dword:0x00000002

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8emc]
   Nuevo valor:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   Nuevo valor:
   • "%SYSDIR%\avgvdm.exe"="%SYSDIR%\avgvdm.exe:*:Enabled:Windows Live"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Nuevo valor:
   • "CheckedValue"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Nuevo valor:
   • "restrictanonymous"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   Nuevo valor:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   Nuevo valor:
   • "%SYSDIR%\avgvdm.exe"="%SYSDIR%\avgvdm.exe:*:Enabled:Windows Live"

IRC Para enviar informaciones y para proporcionar control remoto, se conecta a los siguientes servidores IRC:

Servidor: unas.u**********.info
Contraseña del servidor: su1c1d3
Canal: #te3pe3
Apodo: \00\USA\%serie de caracteres aleatorios%

Servidor: p3x-888.u**********.info

Servidor: goauld.u**********.info

Servidor: stargate.f**********.info

Servidor: recoil.f**********.info

Servidor: sector9.f**********.info

Servidor: gateaddr.d**********.info

Servidor: wormhle.d**********.info

Servidor: scattr.d**********.info

Servidor: evthorz.d**********.info

Servidor: scorch.s**********.info

Servidor: zapniki.s**********.info

Servidor: zateck.s**********.info

Servidor: wow.d**********.info

Servidor: com.d**********.info

Servidor: dat.d**********.info

Servidor: sup.d**********.info

Servidor: especial.s**********.info

Servidor: rewrite.s**********.info

Servidor: comp.s**********.info

Servidor: statics.s**********.info

Ficheros host El fichero host es modificado de la siguiente manera:

– En este caso, las entradas existentes serán eliminadas.

– El acceso a los siguientes dominios está bloqueado:
   • 127.0.0.1 msnfix.changelog.fr; 127.0.0.1 www.incodesolutions.com;
      127.0.0.1 virusinfo.prevx.com;
      127.0.0.1 download.bleepingcomputer.com; 127.0.0.1 www.dazhizhu.cn;
      127.0.0.1 foro.noticias3d.com; 127.0.0.1 www.nabble.com;
      127.0.0.1 lurker.clamav.net; 127.0.0.1 lexikon.ikarus.at;
      127.0.0.1 research.sunbelt-software.com; 127.0.0.1 www.virusdoctor.jp;
      127.0.0.1 www.elitepvpers.de; 127.0.0.1 guru.avg.com;
      127.0.0.1 www.superuser.co.kr; 127.0.0.1 ntfaq.co.kr;
      127.0.0.1 v.dreamwiz.com; 127.0.0.1 cit.kookmin.ac.kr;
      127.0.0.1 forums.whatthetech.com; 127.0.0.1 forum.hijackthis.de;
      127.0.0.1 avg.vo.llnwd.net; 127.0.0.1 www.huaifai.go.th;
      127.0.0.1 www.mostz.com; 127.0.0.1 www.krupunmai.com;
      127.0.0.1 www.cddchiangmai.net; 127.0.0.1 forum.malekal.com;
      127.0.0.1 tech.pantip.com; 127.0.0.1 sapcupgrades.com;
      127.0.0.1 www.247fixes.com; 127.0.0.1 forum.sysinternals.com;
      127.0.0.1 forum.telecharger.01net.com; 127.0.0.1 sophos.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 avast-home.uptodown.com;
      127.0.0.1 dr-web-cureit.softonic.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 www.chkrootkit.org; 127.0.0.1 diamondcs.com.au;
      127.0.0.1 www.rootkit.nl; 127.0.0.1 www.sysinternals.com;
      127.0.0.1 z-oleg.com; 127.0.0.1 espanol.dir.groups.yahoo.com;
      127.0.0.1 www.castlecrops.com; 127.0.0.1 www.misec.net;
      127.0.0.1 safecomputing.umn.edu; 127.0.0.1 www.antirootkit.com;
      127.0.0.1 www.greatis.com; 127.0.0.1 ar.answers.yahoo.com;
      127.0.0.1 www.elhacker.org; 127.0.0.1 www.rootkit.com;
      127.0.0.1 www.pctools.com; 127.0.0.1 www.pcsupportadvisor.com;
      127.0.0.1 www.resplendence.com; 127.0.0.1 www.personal.psu.edu;
      127.0.0.1 foro.ethek.com; 127.0.0.1 foro.elhacker.net;
      127.0.0.1 vil.nail.com; 127.0.0.1 search.mcafee.com;
      127.0.0.1 wwww.mcafee.com; 127.0.0.1 download.nai.com;
      127.0.0.1 wwww.experts-exchange.com; 127.0.0.1 www.bakunos.com;
      127.0.0.1 www.darkclockers.com; 127.0.0.1 www.Merijn.org;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 www.spybot.info;
      127.0.0.1 www.viruslist.com; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 www.f-secure.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.virustotal.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 linhadefensiva.uol.com.br; 127.0.0.1 cmmings.cn;
      127.0.0.1 www.sergiwa.com; 127.0.0.1 www.el-hacker.com;
      127.0.0.1 www.avg-antivirus.net; 127.0.0.1 www.kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.bleepingcomputer.com;
      127.0.0.1 www.free.grisoft.com; 127.0.0.1 alerta-antivirus.inteco.es;
      127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 www.analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.symantec.com; 127.0.0.1 www.kztechs.com;
      127.0.0.1 ad-aware-se.uptodown.com; 127.0.0.1 stdio-labs.blogspot.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.box.net;
      127.0.0.1 foro.el-hacker.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 www.tecno-soft.com;
      127.0.0.1 ladooscuro.es; 127.0.0.1 ftp.drweb.com;
      127.0.0.1 download.microsoft.comguru0.grisoft.cz;
      127.0.0.1 guru1.grisoft.cz; 127.0.0.1 guru2.grisoft.cz;
      127.0.0.1 guru3.grisoft.cz; 127.0.0.1 download.bleepingcomputer.com;
      127.0.0.1 it.answers.yahoo.com; 127.0.0.1 www.softonic.com;
      127.0.0.1 guru4.grisoft.cz; 127.0.0.1 guru5.grisoft.cz;
      127.0.0.1 www.virusspy.com; 127.0.0.1 www.download.f-secure.com;
      127.0.0.1 www.malwareremoval.com; 127.0.0.1 forums.cnet.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 hjt-data.trend-braintree.com;
      127.0.0.1 www.pantip.com; 127.0.0.1 secubox.aldria.com;
      127.0.0.1 www.forospyware.com; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 www.zonavirus.com; 127.0.0.1 www.leforo.com;
      127.0.0.1 www.siteadvisor.com; 127.0.0.1 blog.threatfire.com;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 blog.hispasec.com;
      127.0.0.1 www.configurarequipos.com; 127.0.0.1 sosvirus.changelog.fr;
      127.0.0.1 www.psicofxp.com; 127.0.0.1 mailcenter.rising.com.cn;
      127.0.0.1 mailcenter.rising.com; 127.0.0.1 www.rising.com.cn;
      127.0.0.1 www.rising.com; 127.0.0.1 www.babooforum.com.br;
      127.0.0.1 www.runscanner.net; 127.0.0.1 www.blogschapines.com;
      127.0.0.1 sosvirus.changelog.fr; 127.0.0.1 upload.changelog.fr;
      127.0.0.1 www.raymond.cc; 127.0.0.1 changelog.fr;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 atazita.blogspot.com;
      127.0.0.1 www.thinkpad.cn; 127.0.0.1 www.final4ever.com;
      127.0.0.1 files.filefont.com; 127.0.0.1 www.infos-du-net.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 forum.hardware.fr;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 blogs.icerocket.com;
      127.0.0.1 www.spychecker.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 forums.maddoktor2.com; 127.0.0.1 www.smokey-services.eu;
      127.0.0.1 www.clubic.com; 127.0.0.1 www.linhadefensiva.org;
      127.0.0.1 www.rolandovera.com; 127.0.0.1 download.sysinternals.com;
      127.0.0.1 www.pcguide.com; 127.0.0.1 www.thetechguide.com;
      127.0.0.1 www.ozzu.com; 127.0.0.1 www.changedetection.com;
      127.0.0.1 espanol.groups.yahoo.com; 127.0.0.1 www.sunbeltsecurity.com;
      127.0.0.1 community.thaiware.com; 127.0.0.1 www.avpclub.ddns.info;
      127.0.0.1 www.offensivecomputing.net; 127.0.0.1 www.grisoft.com;
      127.0.0.1 boardreader.com; 127.0.0.1 www.guiadohardware.net;
      127.0.0.1 www.msnvirusremoval.com; 127.0.0.1 www.cisrt.org;
      127.0.0.1 fixmyim.com; 127.0.0.1 samroeng.hi5.com;
      127.0.0.1 foro.elhacker.net; 127.0.0.1 www.daboweb.com;
      127.0.0.1 service1.symantec.com; 127.0.0.1 forums.techguy.org;
      127.0.0.1 www.incodesolutions.com;
      127.0.0.1 hijackthis.download3000.com;
      127.0.0.1 www.cybertechhelp.com; 127.0.0.1 www.superdicas.com.br;
      127.0.0.1 www.51nb.com; 127.0.0.1 downloads.andymanchesta.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 info.prevx.com;
      127.0.0.1 aknow.prevx.com; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 securitywonks.net; 127.0.0.1 www.yoreparo.com;
      127.0.0.1 www.lavasoft.com; 127.0.0.1 www.virscan.org;
      127.0.0.1 www.eeload.com; 127.0.0.1 down.www.kingsoft.com;
      127.0.0.1 www.file.net; 127.0.0.1 onecare.live.com;
      127.0.0.1 mvps.org; 127.0.0.1 www.laneros.com;
      127.0.0.1 www.housecall.trendmicro.com; 127.0.0.1 www.avast.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 www.onlinescan.avast.com;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.trucoswindows.net;
      127.0.0.1 www.mozilla-hispano.org;
      127.0.0.1 www.futurenow.bitdefender.com;
      127.0.0.1 www.bitdefender.com; 127.0.0.1 www.f-prot.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 security.symantec.com;
      127.0.0.1 oldtimer.geekstogo.com; 127.0.0.1 www.avira.com;
      127.0.0.1 www.eset.com; 127.0.0.1 www.free.avg.com;
      127.0.0.1 www.free-av.com; 127.0.0.1 kr.ahnlab.com;
      127.0.0.1 www.eset.com; 127.0.0.1 forospyware.com;
      127.0.0.1 thejokerx.blogspot.com; 127.0.0.1 www.2-spyware.com;
      127.0.0.1 www.antivir.es; 127.0.0.1 www.prevx.com;
      127.0.0.1 www.ikarus.net; 127.0.0.1 bbs.s-sos.net;
      127.0.0.1 www.housecall.trendmicro.com;
      127.0.0.1 www.superdicas.com.br; 127.0.0.1 www.forums.majorgeeks.com;
      127.0.0.1 www.castlecops.com; 127.0.0.1 www.virusspy.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 www.kaspersky.es;
      127.0.0.1 subs.geekstogo.com; 127.0.0.1 www.forospanish.com;
      127.0.0.1 www.trendmicro.com; 127.0.0.1 www.fortinet.com;
      127.0.0.1 www.safer-networking.org;
      127.0.0.1 www.fortiguardcenter.com; 127.0.0.1 www.dougknox.com;
      127.0.0.1 www.vsantivirus.com; 127.0.0.1 www.firewallguide.com;
      127.0.0.1 www.auditmypc.com; 127.0.0.1 www.spywaredb.com;
      127.0.0.1 www.mxttchina.com; 127.0.0.1 www.ziggamza.net;
      127.0.0.1 www.forospyware.es; 127.0.0.1 pogonyuto.forospanish.com;
      127.0.0.1 www.antivirus.comodo.com;
      127.0.0.1 www.spywareterminator.com;
      127.0.0.1 www.eradicatespyware.net;
      127.0.0.1 www.freespywareremoval.info;
      127.0.0.1 www.personalfirewall.comodo.com; 127.0.0.1 www.clamav.net;
      127.0.0.1 www.antivirus.about.com; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 www.webphand.com; 127.0.0.1 mx.answers.yahoo.com;
      127.0.0.1 www.securitywonks.net; 127.0.0.1 www.sandboxie.com;
      127.0.0.1 www.clamwin.com; 127.0.0.1 www.cwsandbox.org;
      127.0.0.1 www.ca.com; 127.0.0.1 www.arswp.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.trucoswindows.es;
      127.0.0.1 www.networkworld.com; 127.0.0.1 www.cddchiangmai.net;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 www.norman.com;
      127.0.0.1 espanol.answers.yahoo.com; 127.0.0.1 www.tallemu.com;
      127.0.0.1 virscan.org; 127.0.0.1 www.viruschief.com;
      127.0.0.1 scanner.virus.org; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 housecall65.trendmicro.com;
      127.0.0.1 www.guiadohardware.net; 127.0.0.1 forums.whatthetech.com;
      127.0.0.1 hjt.networktechs.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.whatthetech.com; 127.0.0.1 www.soccersuck.com;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 comunidad.wilkinsonpc.com.co;
      127.0.0.1 forum.piriform.com; 127.0.0.1 www.tweaksforgeeks.com;
      127.0.0.1 www.daniweb.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.pchell.com; 127.0.0.1 www.spyany.com;
      127.0.0.1 forums.techguy.org; 127.0.0.1 www.experts-exchange.com;
      127.0.0.1 www.wikio.es; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 forums.devshed.com; 127.0.0.1 forum.tweaks.com;
      127.0.0.1 www.wilderssecurity.com; 127.0.0.1 www.techspot.com;
      127.0.0.1 www.thecomputerpitstop.com; 127.0.0.1 es.wasalive.com;
      127.0.0.1 secunia.com; 127.0.0.1 es.kioskea.net;
      127.0.0.1 www.taringa.net; 127.0.0.1 www.cyberdefender.com;
      127.0.0.1 www.feedage.com; 127.0.0.1 new.taringa.net;
      127.0.0.1 forum.zazana.com; 127.0.0.1 forum.clubedohardware.com.br;
      127.0.0.1 www.computing.net; 127.0.0.1 discussions.virtualdr.com;
      127.0.0.1 forum.securitycadets.com; 127.0.0.1 www.techimo.com;
      127.0.0.1 13iii.com; 127.0.0.1 www.dicasweb.com.br;
      127.0.0.1 www.infosecpodcast.com; 127.0.0.1 www.usbcleaner.cn;
      127.0.0.1 www.net-security.org; 127.0.0.1 www.bleedingthreats.net;
      127.0.0.1 acs.pandasoftware.com; 127.0.0.1 www.funkytoad.com;
      127.0.0.1 www.360safe.cn; 127.0.0.1 www.360safe.com;
      127.0.0.1 bbs.360safe.cn; 127.0.0.1 bbs.360safe.com;
      127.0.0.1 codehard.wordpress.com;
      127.0.0.1 forum.clubedohardware.com.br; 127.0.0.1 www.360.cn;
      127.0.0.1 www.360.com; 127.0.0.1 bbs.360safe.cn;
      127.0.0.1 bbs.360safe.com; 127.0.0.1 www.forospyware.es;
      127.0.0.1 p3dev.taringa.net; 127.0.0.1 www.precisesecurity.com;
      127.0.0.1 baike.360.cn; 127.0.0.1 baike.360.com;
      127.0.0.1 kaba.360.cn; 127.0.0.1 kaba.360.com;
      127.0.0.1 deckard.geekstogo.com; 127.0.0.1 www.taringa.net;
      127.0.0.1 forums.comodo.com; 127.0.0.1 www.mvps.org;
      127.0.0.1 down.360safe.cn; 127.0.0.1 down.360safe.com;
      127.0.0.1 x.360safe.com; 127.0.0.1 dl.360safe.com;
      127.0.0.1 ftp.drweb.com; 127.0.0.1 www.hotshare.net;
      127.0.0.1 es.wasalive.com; 127.0.0.1 free.antivirus.com;
      127.0.0.1 updatem.360safe.com; 127.0.0.1 updatem.360safe.cn;
      127.0.0.1 update.360safe.cn; 127.0.0.1 update.360safe.com;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 bbs.duba.net; 127.0.0.1 www.duba.net;
      127.0.0.1 zhidao.baidu.com; 127.0.0.1 hi.baidu.com;
      127.0.0.1 www.drweb.com.es; 127.0.0.1 msncleaner.softonic.com;
      127.0.0.1 www.javacoolsoftware.com; 127.0.0.1 file.ikaka.com;
      127.0.0.1 file.ikaka.cn; 127.0.0.1 bbs.ikaka.com;
      127.0.0.1 zhidao.ikaka.com; 127.0.0.1 www.eset-la.com;
      127.0.0.1 www.eset-la.com; 127.0.0.1 software-files.download.com;
      127.0.0.1 www.ikaka.com; 127.0.0.1 www.ikaka.cn;
      127.0.0.1 bbs.cfan.com.cn; 127.0.0.1 www.cfan.com.cn;
      127.0.0.1 www.pandasecurity.com; 127.0.0.1 es.mcafee.com;
      127.0.0.1 downloads.malwarebytes.org; 127.0.0.1 bbs.kafan.cn;
      127.0.0.1 bbs.kafan.com; 127.0.0.1 bbs.kpfans.com;
      127.0.0.1 bbs.taisha.org; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 support.f-secure.com; 127.0.0.1 bbs.winzheng.com;
      127.0.0.1 alerta-antivirus.inteco.es; 127.0.0.1 foros.zonavirus.com;
      127.0.0.1 alerta-antivirus.red.es; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 www.malwarebytes.org; 127.0.0.1 www.commentcamarche.net;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.infospyware.com;
      127.0.0.1 www.bitdefender.es; 127.0.0.1 housecall.trendmicro.com;
      127.0.0.1 foros.toxico-pc.com; 127.0.0.1 www.emsisoft.de;
      127.0.0.1 www.securitynewsportal.com

Finalización de los procesos Listado de los procesos finalizados:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; FSMB32.EXE; FSGK32.EXE; FSAV95.EXE;
      FSAV530WTBYB.EXE; FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE;
      FPROT.EXE; FP-WIN.EXE; FNRB32.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE;
      FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE;
      SPIDERUI.EXE; SPIDERNT.EXE; ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE;
      BOXMOD.EXE; 360SAFE.EXE; 360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE;
      NSVMON.NPC; NSAVSVC.NPC; NPCGREENAGENT.NPC; PUSCAN.EXE;
      AYSERVICENT.AYE; AYAGENT.AYE; CMDAGENT.EXE; CPF.EXE; VSMON.EXE;
      ZLCLIENT.EXE; NSUTILITY.EXE; NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE;
      NSPUPSVC.EXE; NSPSVC.EXE; MKSADMINCONSOLE.EXE; MKSUPDATE.EXE;
      MKSPC.EXE; MKSFWALL.EXE; MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE;
      MKSREGMON.EXE; KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE;
      KISSVC.EXE; KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE;
      KVOL.EXE; KVXP.KXP; KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE;
      ARCABIT.CORE.LOGGINGSERVICE.EXE; ARCABIT.CORE.CONFIGURATOR2.EXE;
      TASKSCHEDULER.EXE; UPDATE.EXE; NETMONSV.EXE; FILEMONSV.EXE;
      ABREGMON.EXE.EXE; ARCACHECK.EXE; ARCAVIR.EXE; AVMENU.EXE;
      A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE; A2SCAN.EXE; A2GUARD.EXE;
      VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE; HPCSVC.EXE; HSVCMOD.EXE;
      VRMONNT.EXE; VBA32ADS.EXE; VBA32LDR.EXE; FILELOCKSETUP.EXE;
      TSCFCOMMANDER.EXE; TMPROXY.EXE; TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE;
      UFSEAGNT.EXE; MKSTRAY.EXE; TISSPWIZ.EXE; SFCTLCOM.EXE; TNBUTIL.EXE;
      DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE; SBAMUI.EXE; SBAMTRAY.EXE;
      SAVADMINSERVICE.EXE; SAVSERVICE.EXE; SCFSERVICE.EXE; SCFMANAGER.EXE;
      RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE; RAVLITE.EXE;
      PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE; PCTSAUXS.EXE;
      PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE; AVGAS.EXE; PAVBCKPT.EXE;
      WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE; PSIMSVC.EXE; PSHOST.EXE;
      AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE; PAVFNSVR.EXE; PSCTRLS.EXE;
      TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE; NOD32.EXE; NMAIN.EXE;
      NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE; MCUPDATE.EXE; MCSHIELD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE; KAVSVC.EXE; KAV.EXE;
      K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE; K7PSSRVC.EXE; K7FWSRVC.EXE;
      K7EMLPXY.EXE; K7TSECURITY.EXE; K7SYSTRY.EXE; VIRUSUTILITIES.EXE;
      GUARDXSERVICE.EXE; GUARDXKICKOFF.EXE; AVKWCTL.EXE;
      AVKTUNERSERVICE.EXE; AVKSERVICE.EXE; GDFWSVC.EXE; AVKPROXY.EXE;
      GDFIRE~1.EXE; AVKTRAY.EXE; GDFIREWALLTRAY.EXE; FSAUA.EXE; FSDFWD.EXE;
      FSGK32ST.EXE; FSM32.EXE; FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE;
      INICIO.EXE; NOD32KRN.EXE; FSMA32.EXE; APVXDWIN.EXE; UMXPOL.EXE;
      UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE; PPCLTPRIV.EXE; SVCPRS32.EXE;
      ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE; CAGLOBALLIGHT.EXE;
      CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE; CFGMNG32.EXE; CCTRAY.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE; ALMON.EXE; DRWEBSCD.EXE;
      SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE; STRTSVC.EXE; OP_MON.EXE;
      SENSOR.EXE; QHFW332.EXE; CATEYE.EXE; ONLNSVC.EXE; EMLPROUI.EXE;
      UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE; EMLPROXY.EXE; ONLINENT.EXE;
      ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE; LIVESRV.EXE; XCOMMSVR.EXE;
      UISCAN.EXE; BDSS.EXE; AVGCMGR.EXE; AVGWSRV.EXE; AVGUI.EXE;
      AVGSCANX.EXE; AVGUPSVC.EXE; AVGAMSVR.EXE; AVGUPD.EXE; AVGTRAY.EXE;
      AVGFRW.EXE; AVGEMC.EXE; AVGNSX.EXE; AVGRSX.EXE; AVGWDSVC.EXE;
      ASHWEBSV.EXE; ASHMAISV.EXE; ASWUPDSV.EXE; ASHSERV.EXE; ASHDISP.EXE;
      AVCENTER.EXE; SCHED.EXE; AVIRARKD.EXE; AVGNT.EXE; AVGUARD.EXE;
      AHNSDSV.EXE; ACAIS.EXE; ACALS.EXE; ACAEGMGR.EXE; QOELOADER.EXE;
      ACAAS.EXE; QUHLPSVC.EXE; AVGCSRVX.EXE; 123.EXE;
      RAVP.EXEMBAM.EXE123.COM; UNIEXTRACT.EXE; SYSANALYZER_SETUP.EXE;
      STARTDRECK.EXE; SPF.EXE; REGX2.EXE; REGSHOT.EXE; REGSCANNER.EXE;
      REGISTRAR_LITE.EXE; REGCOOL.EXE; REGALYZ.EXE;
      PROJECTWHOISINSTALLER.EXE; PROCMON.EXE; CUREIT.EXE; FIXBAGLE.EXE;
      PGSETUP.EXE; OBJMONSETUP.EXE; NETALYZ.EXE; KILLBOX.EXE;
      INSTALLWATCHPRO25.EXE; AVENGER.EXE; IEFIX.EXE; HOSTSFILEREADER.EXE;
      FIXPATH.EXE; FILEFIND.EXE; FILEALYZ.EXE; EULALYZERSETUP.EXE;
      A2HIJACKFREESETUP.EXE; DLLCOMPARE.EXE; CPROCESS.EXE; CPORTS.EXE;
      ASVIEWER.EXE; APT.EXE; APM.EXE; WIRESHARK.EXE; SPYBOTSD.EXE;
      TEATIMER.EXE; SPYBOTSD160.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE;
      PG2.EXE; LORDPE.EXE; ICESWORD.EXE; REANIMATOR.EXE; ROOTKITNO.EXE;
      RKD.EXE; HACKMON.EXE; UNHACKME.EXE; ROOTKIT_DETECTIVE.EXE;
      AVGARKT.EXE; FSB.EXE; FSBL.EXE; ROOTKITREVEALER.EXE; PSKILL.EXE;
      TASKMON.EXE; TASKLIST.EXE; TASKMAN.EXE; PROCEXP.EXE; MSNFIX.EXE;
      HIJACKTHIS_V2.EXE; HIJACKTHIS.EXE; HIJACKTHIS_SFX.EXE; HJTSETUP.EXE;
      HJTINSTALL.EXE; OLLYDBG.EXE; NETSTAT.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; FPORT.EXE; APORTS.EXE; PAVARK.EXE; DARKSPY105.EXE;
      HELIOS.EXE; ROOTKITBUSTER.EXE; ROOTALYZER.EXE; BC5CA6A.EXE; SEEM.EXE;
      DELAYDELFILE.EXE; DUBATOOL_AV_KILLER.EXE; SUPERKILLER.EXE;
      KAKASETUPV6.EXE; BUSCAREG.EXE; MSNCLEANER.EXE; SRESTORE.EXE;
      BOOTSAFE.EXE; SUPERANTISPYWARE.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; CF9409.EXE; GMER.EXE;
      CATCHME.EXE; SDFIX.EXE; COMBOFIX.EXE; SRENGPS.EXE; AUTORUNS.EXE;
      TASKKILL.EXE; REG.EXE; MYPHOTOKILLER.EXE; KILLAUTOPLUS.EXE;
      FOLDERCURE.EXE; REGEDIT.SCR; REGEDIT.COM; TCPVIEW.EXE; LISTO.EXE;
      GUARD.EXE; NTVDM.EXE; COMMAND.COM; COMBOFIX.COM; COMBOFIX.SCR;
      COMOBO-FIX.EXE; COMBOFIX.BAT; COMBO-FIX.EXE; REGMON.EXE;
      OTMOVEIT.EXEMBAM-SETUP.EXE; JAJA.EXE; AVZ.EXE; MBAM.EXE;
      MBAM-SETUP.EXE; PENCLEAN.EXE; ELISTA.EXE; HJ.EXE;
      WINDOWS-KB890930-V2.2.EXE; MRTSTUB.EXE; MRT.EXE; HIJACK-THIS.EXE;
      VIRUS.EXE; SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      ATF-CLEANER.EXE; COMPAQ_PROPIETARIO.EXE; REGUNLOCKER.EXE;
      UNLOCKERASSISTANT.EXE; UNLOCKER.EXE; SRENGLDR.EXE; HOOKANLZ.EXE;
      UNLOCKER1.8.7.EXE

Inyectar el código viral en otros procesos – Se inyecta a sí mismo como hilo de ejecución remoto en un proceso.

Nombre del proceso:
• explorer.exe

Datos del fichero Lenguaje de programación:
El programa de malware ha sido escrito en Delphi.

Descripción insertada por Petre Galan el martes 23 de febrero de 2010
Descripción actualizada por Petre Galan el martes 23 de febrero de 2010

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas