Descripción completa

Nombre:	Worm/Slenfbot.DQ
Descubierto:	23/11/2009
Tipo:	Gusano
En circulación (ITW):	Sí
Número de infecciones comunicadas:	Medio-bajo
Potencial de propagación:	Medio-bajo
Potencial dañino:	Medio
Fichero estático:	Sí
Tamaño:	77.312 Bytes
Suma de control MD5:	529a29e455d2cc22c4dc756f2bb013b8
Versión del IVDF:	7.10.01.59 - lunes 23 de noviembre de 2009

General Método de propagación:
   • Autorun feature (es)

Alias:
   • Panda: W32/Slenfbot.AH
   • Eset: Win32/AutoRun.Qhost.M

Plataformas / Sistemas operativos:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efectos secundarios:
   • Bloquea el acceso a ciertos sitios web
   • Bloquea el acceso a portales de seguridad
   • Suelta ficheros dañinos
   • Reduce las opciones de seguridad
   • Modificaciones en el registro
   • Posibilita el acceso no autorizado al ordenador

Ficheros Se copia a sí mismo en las siguientes ubicaciones:
   • %SYSDIR%\avsysd.exe
   • \CACHE-03958720\device64.sys

Sobrescribe un fichero.
– %SYSDIR%\drivers\etc\hosts

Crea los siguientes ficheros:

– \autorun.inf Este es un fichero de texto que no presenta riesgo alguno e incluye el siguiente contenido:
   •

– \CACHE-03958720\Desktop.ini

Registro Añade uno de los siguientes valores en el registro, para ejecutar los procesos al reiniciar el sistema:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"

Elimina las siguientes claves del registro, incluyendo todos sus valores y subclaves:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

Crea las siguientes entradas para evitar el cortafuego de Windows XP:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\avsysd.exe"="%SYSDIR%\avsysd.exe:*:Enabled:Windows Live"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\avsysd.exe"="%SYSDIR%\avsysd.exe:*:Enabled:Windows Live"

Añade las siguientes claves al registro:

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="avsysd.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\avsysd.exe"="DisableNXShowUI"

Modifica las siguientes claves del registro:

Varias opciones de configuración en Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Nuevo valor:
   • "Hidden"=dword:0x00000002

Varias opciones de configuración en Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Nuevo valor:
   • "CheckedValue"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Nuevo valor:
   • "restrictanonymous"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   Nuevo valor:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8wd]
   Nuevo valor:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8emc]
   Nuevo valor:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Nuevo valor:
   • "Start"=dword:0x00000004

IRC Para enviar informaciones y para proporcionar control remoto, se conecta a los siguientes servidores IRC:

Servidor: unas.u**********.info
Contraseña del servidor: su1c1d3
Canal: #te3pe3
Apodo: \00\USA\%serie de caracteres aleatorios%

Servidor: p3x-888.u**********.info

Servidor: goauld.u**********.info

Servidor: stargate.f**********.info

Servidor: recoil.f**********.info

Servidor: sector9.f**********.info

Servidor: gateaddr.d**********.info

Servidor: wormhle.d**********.info

Servidor: scattr.d**********.info

Servidor: evthorz.d**********.info

Servidor: scorch.s**********.info

Servidor: zapniki.s**********.info

Servidor: zateck.s**********.info

Servidor: wow.d**********.info

Servidor: com.d**********.info

Servidor: dat.d**********.info

Servidor: sup.d**********.info

Servidor: especial.s**********.info

Servidor: rewrite.s**********.info

Servidor: comp.s**********.info

Servidor: statics.s**********.info

– Además puede efectuar las siguientes operaciones:
• Ejecutar fichero
• Se actualiza solo

Ficheros host El fichero host es modificado de la siguiente manera:

– En este caso, las entradas existentes serán eliminadas.

– El acceso a los siguientes dominios está bloqueado:
   • 127.0.0.1 msnfix.changelog.fr; 127.0.0.1 www.incodesolutions.com;
      127.0.0.1 virusinfo.prevx.com;
      127.0.0.1 download.bleepingcomputer.com; 127.0.0.1 www.dazhizhu.cn;
      127.0.0.1 foro.noticias3d.com; 127.0.0.1 www.nabble.com;
      127.0.0.1 lurker.clamav.net; 127.0.0.1 lexikon.ikarus.at;
      127.0.0.1 research.sunbelt-software.com; 127.0.0.1 www.virusdoctor.jp;
      127.0.0.1 www.elitepvpers.de; 127.0.0.1 guru.avg.com;
      127.0.0.1 www.superuser.co.kr; 127.0.0.1 ntfaq.co.kr;
      127.0.0.1 v.dreamwiz.com; 127.0.0.1 cit.kookmin.ac.kr;
      127.0.0.1 forums.whatthetech.com; 127.0.0.1 forum.hijackthis.de;
      127.0.0.1 avg.vo.llnwd.net; 127.0.0.1 www.huaifai.go.th;
      127.0.0.1 www.mostz.com; 127.0.0.1 www.krupunmai.com;
      127.0.0.1 www.cddchiangmai.net; 127.0.0.1 forum.malekal.com;
      127.0.0.1 tech.pantip.com; 127.0.0.1 sapcupgrades.com;
      127.0.0.1 www.247fixes.com; 127.0.0.1 forum.sysinternals.com;
      127.0.0.1 forum.telecharger.01net.com; 127.0.0.1 sophos.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 avast-home.uptodown.com;
      127.0.0.1 dr-web-cureit.softonic.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 www.chkrootkit.org; 127.0.0.1 diamondcs.com.au;
      127.0.0.1 www.rootkit.nl; 127.0.0.1 www.sysinternals.com;
      127.0.0.1 z-oleg.com; 127.0.0.1 espanol.dir.groups.yahoo.com;
      127.0.0.1 www.castlecrops.com; 127.0.0.1 www.misec.net;
      127.0.0.1 safecomputing.umn.edu; 127.0.0.1 www.antirootkit.com;
      127.0.0.1 www.greatis.com; 127.0.0.1 ar.answers.yahoo.com;
      127.0.0.1 www.elhacker.org; 127.0.0.1 www.rootkit.com;
      127.0.0.1 www.pctools.com; 127.0.0.1 www.pcsupportadvisor.com;
      127.0.0.1 www.resplendence.com; 127.0.0.1 www.personal.psu.edu;
      127.0.0.1 foro.ethek.com; 127.0.0.1 foro.elhacker.net;
      127.0.0.1 vil.nail.com; 127.0.0.1 search.mcafee.com;
      127.0.0.1 wwww.mcafee.com; 127.0.0.1 download.nai.com;
      127.0.0.1 wwww.experts-exchange.com; 127.0.0.1 www.bakunos.com;
      127.0.0.1 www.darkclockers.com; 127.0.0.1 www.Merijn.org;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 www.spybot.info;
      127.0.0.1 www.viruslist.com; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 www.f-secure.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.virustotal.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 linhadefensiva.uol.com.br; 127.0.0.1 cmmings.cn;
      127.0.0.1 www.sergiwa.com; 127.0.0.1 www.el-hacker.com;
      127.0.0.1 www.avg-antivirus.net; 127.0.0.1 www.kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.bleepingcomputer.com;
      127.0.0.1 www.free.grisoft.com; 127.0.0.1 alerta-antivirus.inteco.es;
      127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 www.analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.symantec.com; 127.0.0.1 www.kztechs.com;
      127.0.0.1 ad-aware-se.uptodown.com; 127.0.0.1 stdio-labs.blogspot.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.box.net;
      127.0.0.1 foro.el-hacker.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 www.tecno-soft.com;
      127.0.0.1 ladooscuro.es; 127.0.0.1 ftp.drweb.com;
      127.0.0.1 download.microsoft.comguru0.grisoft.cz;
      127.0.0.1 guru1.grisoft.cz; 127.0.0.1 guru2.grisoft.cz;
      127.0.0.1 guru3.grisoft.cz; 127.0.0.1 download.bleepingcomputer.com;
      127.0.0.1 it.answers.yahoo.com; 127.0.0.1 www.softonic.com;
      127.0.0.1 guru4.grisoft.cz; 127.0.0.1 guru5.grisoft.cz;
      127.0.0.1 www.virusspy.com; 127.0.0.1 www.download.f-secure.com;
      127.0.0.1 www.malwareremoval.com; 127.0.0.1 forums.cnet.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 hjt-data.trend-braintree.com;
      127.0.0.1 www.pantip.com; 127.0.0.1 secubox.aldria.com;
      127.0.0.1 www.forospyware.com; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 www.zonavirus.com; 127.0.0.1 www.leforo.com;
      127.0.0.1 www.siteadvisor.com; 127.0.0.1 blog.threatfire.com;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 blog.hispasec.com;
      127.0.0.1 www.configurarequipos.com; 127.0.0.1 sosvirus.changelog.fr;
      127.0.0.1 www.psicofxp.com; 127.0.0.1 mailcenter.rising.com.cn;
      127.0.0.1 mailcenter.rising.com; 127.0.0.1 www.rising.com.cn;
      127.0.0.1 www.rising.com; 127.0.0.1 www.babooforum.com.br;
      127.0.0.1 www.runscanner.net; 127.0.0.1 www.blogschapines.com;
      127.0.0.1 sosvirus.changelog.fr; 127.0.0.1 upload.changelog.fr;
      127.0.0.1 www.raymond.cc; 127.0.0.1 changelog.fr;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 atazita.blogspot.com;
      127.0.0.1 www.thinkpad.cn; 127.0.0.1 www.final4ever.com;
      127.0.0.1 files.filefont.com; 127.0.0.1 www.infos-du-net.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 forum.hardware.fr;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 blogs.icerocket.com;
      127.0.0.1 www.spychecker.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 forums.maddoktor2.com; 127.0.0.1 www.smokey-services.eu;
      127.0.0.1 www.clubic.com; 127.0.0.1 www.linhadefensiva.org;
      127.0.0.1 www.rolandovera.com; 127.0.0.1 download.sysinternals.com;
      127.0.0.1 www.pcguide.com; 127.0.0.1 www.thetechguide.com;
      127.0.0.1 www.ozzu.com; 127.0.0.1 www.changedetection.com;
      127.0.0.1 espanol.groups.yahoo.com; 127.0.0.1 www.sunbeltsecurity.com;
      127.0.0.1 community.thaiware.com; 127.0.0.1 www.avpclub.ddns.info;
      127.0.0.1 www.offensivecomputing.net; 127.0.0.1 www.grisoft.com;
      127.0.0.1 boardreader.com; 127.0.0.1 www.guiadohardware.net;
      127.0.0.1 www.msnvirusremoval.com; 127.0.0.1 www.cisrt.org;
      127.0.0.1 fixmyim.com; 127.0.0.1 samroeng.hi5.com;
      127.0.0.1 foro.elhacker.net; 127.0.0.1 www.daboweb.com;
      127.0.0.1 service1.symantec.com; 127.0.0.1 forums.techguy.org;
      127.0.0.1 www.incodesolutions.com;
      127.0.0.1 hijackthis.download3000.com;
      127.0.0.1 www.cybertechhelp.com; 127.0.0.1 www.superdicas.com.br;
      127.0.0.1 www.51nb.com; 127.0.0.1 downloads.andymanchesta.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 info.prevx.com;
      127.0.0.1 aknow.prevx.com; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 securitywonks.net; 127.0.0.1 www.yoreparo.com;
      127.0.0.1 www.lavasoft.com; 127.0.0.1 www.virscan.org;
      127.0.0.1 www.eeload.com; 127.0.0.1 down.www.kingsoft.com;
      127.0.0.1 www.file.net; 127.0.0.1 onecare.live.com;
      127.0.0.1 mvps.org; 127.0.0.1 www.laneros.com;
      127.0.0.1 www.housecall.trendmicro.com; 127.0.0.1 www.avast.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 www.onlinescan.avast.com;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.trucoswindows.net;
      127.0.0.1 www.mozilla-hispano.org;
      127.0.0.1 www.futurenow.bitdefender.com;
      127.0.0.1 www.bitdefender.com; 127.0.0.1 www.f-prot.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 security.symantec.com;
      127.0.0.1 oldtimer.geekstogo.com; 127.0.0.1 www.avira.com;
      127.0.0.1 www.eset.com; 127.0.0.1 www.free.avg.com;
      127.0.0.1 www.free-av.com; 127.0.0.1 kr.ahnlab.com;
      127.0.0.1 www.eset.com; 127.0.0.1 forospyware.com;
      127.0.0.1 thejokerx.blogspot.com; 127.0.0.1 www.2-spyware.com;
      127.0.0.1 www.antivir.es; 127.0.0.1 www.prevx.com;
      127.0.0.1 www.ikarus.net; 127.0.0.1 bbs.s-sos.net;
      127.0.0.1 www.housecall.trendmicro.com;
      127.0.0.1 www.superdicas.com.br; 127.0.0.1 www.forums.majorgeeks.com;
      127.0.0.1 www.castlecops.com; 127.0.0.1 www.virusspy.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 www.kaspersky.es;
      127.0.0.1 subs.geekstogo.com; 127.0.0.1 www.forospanish.com;
      127.0.0.1 www.trendmicro.com; 127.0.0.1 www.fortinet.com;
      127.0.0.1 www.safer-networking.org;
      127.0.0.1 www.fortiguardcenter.com; 127.0.0.1 www.dougknox.com;
      127.0.0.1 www.vsantivirus.com; 127.0.0.1 www.firewallguide.com;
      127.0.0.1 www.auditmypc.com; 127.0.0.1 www.spywaredb.com;
      127.0.0.1 www.mxttchina.com; 127.0.0.1 www.ziggamza.net;
      127.0.0.1 www.forospyware.es; 127.0.0.1 pogonyuto.forospanish.com;
      127.0.0.1 www.antivirus.comodo.com;
      127.0.0.1 www.spywareterminator.com;
      127.0.0.1 www.eradicatespyware.net;
      127.0.0.1 www.freespywareremoval.info;
      127.0.0.1 www.personalfirewall.comodo.com; 127.0.0.1 www.clamav.net;
      127.0.0.1 www.antivirus.about.com; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 www.webphand.com; 127.0.0.1 mx.answers.yahoo.com;
      127.0.0.1 www.securitywonks.net; 127.0.0.1 www.sandboxie.com;
      127.0.0.1 www.clamwin.com; 127.0.0.1 www.cwsandbox.org;
      127.0.0.1 www.ca.com; 127.0.0.1 www.arswp.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.trucoswindows.es;
      127.0.0.1 www.networkworld.com; 127.0.0.1 www.cddchiangmai.net;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 www.norman.com;
      127.0.0.1 espanol.answers.yahoo.com; 127.0.0.1 www.tallemu.com;
      127.0.0.1 virscan.org; 127.0.0.1 www.viruschief.com;
      127.0.0.1 scanner.virus.org; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 housecall65.trendmicro.com;
      127.0.0.1 www.guiadohardware.net; 127.0.0.1 forums.whatthetech.com;
      127.0.0.1 hjt.networktechs.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.whatthetech.com; 127.0.0.1 www.soccersuck.com;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 comunidad.wilkinsonpc.com.co;
      127.0.0.1 forum.piriform.com; 127.0.0.1 www.tweaksforgeeks.com;
      127.0.0.1 www.daniweb.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.pchell.com; 127.0.0.1 www.spyany.com;
      127.0.0.1 forums.techguy.org; 127.0.0.1 www.experts-exchange.com;
      127.0.0.1 www.wikio.es; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 forums.devshed.com; 127.0.0.1 forum.tweaks.com;
      127.0.0.1 www.wilderssecurity.com; 127.0.0.1 www.techspot.com;
      127.0.0.1 www.thecomputerpitstop.com; 127.0.0.1 es.wasalive.com;
      127.0.0.1 secunia.com; 127.0.0.1 es.kioskea.net;
      127.0.0.1 www.taringa.net; 127.0.0.1 www.cyberdefender.com;
      127.0.0.1 www.feedage.com; 127.0.0.1 new.taringa.net;
      127.0.0.1 forum.zazana.com; 127.0.0.1 forum.clubedohardware.com.br;
      127.0.0.1 www.computing.net; 127.0.0.1 discussions.virtualdr.com;
      127.0.0.1 forum.securitycadets.com; 127.0.0.1 www.techimo.com;
      127.0.0.1 13iii.com; 127.0.0.1 www.dicasweb.com.br;
      127.0.0.1 www.infosecpodcast.com; 127.0.0.1 www.usbcleaner.cn;
      127.0.0.1 www.net-security.org; 127.0.0.1 www.bleedingthreats.net;
      127.0.0.1 acs.pandasoftware.com; 127.0.0.1 www.funkytoad.com;
      127.0.0.1 www.360safe.cn; 127.0.0.1 www.360safe.com;
      127.0.0.1 bbs.360safe.cn; 127.0.0.1 bbs.360safe.com;
      127.0.0.1 codehard.wordpress.com;
      127.0.0.1 forum.clubedohardware.com.br; 127.0.0.1 www.360.cn;
      127.0.0.1 www.360.com; 127.0.0.1 bbs.360safe.cn;
      127.0.0.1 bbs.360safe.com; 127.0.0.1 www.forospyware.es;
      127.0.0.1 p3dev.taringa.net; 127.0.0.1 www.precisesecurity.com;
      127.0.0.1 baike.360.cn; 127.0.0.1 baike.360.com;
      127.0.0.1 kaba.360.cn; 127.0.0.1 kaba.360.com;
      127.0.0.1 deckard.geekstogo.com; 127.0.0.1 www.taringa.net;
      127.0.0.1 forums.comodo.com; 127.0.0.1 www.mvps.org;
      127.0.0.1 down.360safe.cn; 127.0.0.1 down.360safe.com;
      127.0.0.1 x.360safe.com; 127.0.0.1 dl.360safe.com;
      127.0.0.1 ftp.drweb.com; 127.0.0.1 www.hotshare.net;
      127.0.0.1 es.wasalive.com; 127.0.0.1 free.antivirus.com;
      127.0.0.1 updatem.360safe.com; 127.0.0.1 updatem.360safe.cn;
      127.0.0.1 update.360safe.cn; 127.0.0.1 update.360safe.com;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 bbs.duba.net; 127.0.0.1 www.duba.net;
      127.0.0.1 zhidao.baidu.com; 127.0.0.1 hi.baidu.com;
      127.0.0.1 www.drweb.com.es; 127.0.0.1 msncleaner.softonic.com;
      127.0.0.1 www.javacoolsoftware.com; 127.0.0.1 file.ikaka.com;
      127.0.0.1 file.ikaka.cn; 127.0.0.1 bbs.ikaka.com;
      127.0.0.1 zhidao.ikaka.com; 127.0.0.1 www.eset-la.com;
      127.0.0.1 www.eset-la.com; 127.0.0.1 software-files.download.com;
      127.0.0.1 www.ikaka.com; 127.0.0.1 www.ikaka.cn;
      127.0.0.1 bbs.cfan.com.cn; 127.0.0.1 www.cfan.com.cn;
      127.0.0.1 www.pandasecurity.com; 127.0.0.1 es.mcafee.com;
      127.0.0.1 downloads.malwarebytes.org; 127.0.0.1 bbs.kafan.cn;
      127.0.0.1 bbs.kafan.com; 127.0.0.1 bbs.kpfans.com;
      127.0.0.1 bbs.taisha.org; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 support.f-secure.com; 127.0.0.1 bbs.winzheng.com;
      127.0.0.1 alerta-antivirus.inteco.es; 127.0.0.1 foros.zonavirus.com;
      127.0.0.1 alerta-antivirus.red.es; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 www.malwarebytes.org; 127.0.0.1 www.commentcamarche.net;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.infospyware.com;
      127.0.0.1 www.bitdefender.es; 127.0.0.1 housecall.trendmicro.com;
      127.0.0.1 foros.toxico-pc.com; 127.0.0.1 www.emsisoft.de;
      127.0.0.1 www.securitynewsportal.com

Finalización de los procesos Listado de los procesos finalizados:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; FSMB32.EXE; FSGK32.EXE; FSAV95.EXE;
      FSAV530WTBYB.EXE; FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE;
      FPROT.EXE; FP-WIN.EXE; FNRB32.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE;
      FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE;
      SPIDERUI.EXE; SPIDERNT.EXE; ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE;
      BOXMOD.EXE; 360SAFE.EXE; 360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE;
      NSVMON.NPC; NSAVSVC.NPC; NPCGREENAGENT.NPC; PUSCAN.EXE;
      AYSERVICENT.AYE; AYAGENT.AYE; CMDAGENT.EXE; CPF.EXE; VSMON.EXE;
      ZLCLIENT.EXE; NSUTILITY.EXE; NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE;
      NSPUPSVC.EXE; NSPSVC.EXE; MKSADMINCONSOLE.EXE; MKSUPDATE.EXE;
      MKSPC.EXE; MKSFWALL.EXE; MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE;
      MKSREGMON.EXE; KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE;
      KISSVC.EXE; KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE;
      KVOL.EXE; KVXP.KXP; KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE;
      ARCABIT.CORE.LOGGINGSERVICE.EXE; ARCABIT.CORE.CONFIGURATOR2.EXE;
      TASKSCHEDULER.EXE; UPDATE.EXE; NETMONSV.EXE; FILEMONSV.EXE;
      ABREGMON.EXE.EXE; ARCACHECK.EXE; ARCAVIR.EXE; AVMENU.EXE;
      A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE; A2SCAN.EXE; A2GUARD.EXE;
      VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE; HPCSVC.EXE; HSVCMOD.EXE;
      VRMONNT.EXE; VBA32ADS.EXE; VBA32LDR.EXE; FILELOCKSETUP.EXE;
      TSCFCOMMANDER.EXE; TMPROXY.EXE; TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE;
      UFSEAGNT.EXE; MKSTRAY.EXE; TISSPWIZ.EXE; SFCTLCOM.EXE; TNBUTIL.EXE;
      DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE; SBAMUI.EXE; SBAMTRAY.EXE;
      SAVADMINSERVICE.EXE; SAVSERVICE.EXE; SCFSERVICE.EXE; SCFMANAGER.EXE;
      RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE; RAVLITE.EXE;
      PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE; PCTSAUXS.EXE;
      PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE; AVGAS.EXE; PAVBCKPT.EXE;
      WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE; PSIMSVC.EXE; PSHOST.EXE;
      AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE; PAVFNSVR.EXE; PSCTRLS.EXE;
      TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE; NOD32.EXE; NMAIN.EXE;
      NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE; MCUPDATE.EXE; MCSHIELD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE; KAVSVC.EXE; KAV.EXE;
      K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE; K7PSSRVC.EXE; K7FWSRVC.EXE;
      K7EMLPXY.EXE; K7TSECURITY.EXE; K7SYSTRY.EXE; VIRUSUTILITIES.EXE;
      GUARDXSERVICE.EXE; GUARDXKICKOFF.EXE; AVKWCTL.EXE;
      AVKTUNERSERVICE.EXE; AVKSERVICE.EXE; GDFWSVC.EXE; AVKPROXY.EXE;
      GDFIRE~1.EXE; AVKTRAY.EXE; GDFIREWALLTRAY.EXE; FSAUA.EXE; FSDFWD.EXE;
      FSGK32ST.EXE; FSM32.EXE; FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE;
      INICIO.EXE; NOD32KRN.EXE; FSMA32.EXE; APVXDWIN.EXE; UMXPOL.EXE;
      UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE; PPCLTPRIV.EXE; SVCPRS32.EXE;
      ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE; CAGLOBALLIGHT.EXE;
      CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE; CFGMNG32.EXE; CCTRAY.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE; ALMON.EXE; DRWEBSCD.EXE;
      SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE; STRTSVC.EXE; OP_MON.EXE;
      SENSOR.EXE; QHFW332.EXE; CATEYE.EXE; ONLNSVC.EXE; EMLPROUI.EXE;
      UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE; EMLPROXY.EXE; ONLINENT.EXE;
      ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE; LIVESRV.EXE; XCOMMSVR.EXE;
      UISCAN.EXE; BDSS.EXE; AVGCMGR.EXE; AVGWSRV.EXE; AVGUI.EXE;
      AVGSCANX.EXE; AVGUPSVC.EXE; AVGAMSVR.EXE; AVGUPD.EXE; AVGTRAY.EXE;
      AVGFRW.EXE; AVGEMC.EXE; AVGNSX.EXE; AVGRSX.EXE; AVGWDSVC.EXE;
      ASHWEBSV.EXE; ASHMAISV.EXE; ASWUPDSV.EXE; ASHSERV.EXE; ASHDISP.EXE;
      AVCENTER.EXE; SCHED.EXE; AVIRARKD.EXE; AVGNT.EXE; AVGUARD.EXE;
      AHNSDSV.EXE; ACAIS.EXE; ACALS.EXE; ACAEGMGR.EXE; QOELOADER.EXE;
      ACAAS.EXE; QUHLPSVC.EXE; AVGCSRVX.EXE; 123.EXE;
      RAVP.EXEMBAM.EXE123.COM; UNIEXTRACT.EXE; SYSANALYZER_SETUP.EXE;
      STARTDRECK.EXE; SPF.EXE; REGX2.EXE; REGSHOT.EXE; REGSCANNER.EXE;
      REGISTRAR_LITE.EXE; REGCOOL.EXE; REGALYZ.EXE;
      PROJECTWHOISINSTALLER.EXE; PROCMON.EXE; CUREIT.EXE; FIXBAGLE.EXE;
      PGSETUP.EXE; OBJMONSETUP.EXE; NETALYZ.EXE; KILLBOX.EXE;
      INSTALLWATCHPRO25.EXE; AVENGER.EXE; IEFIX.EXE; HOSTSFILEREADER.EXE;
      FIXPATH.EXE; FILEFIND.EXE; FILEALYZ.EXE; EULALYZERSETUP.EXE;
      A2HIJACKFREESETUP.EXE; DLLCOMPARE.EXE; CPROCESS.EXE; CPORTS.EXE;
      ASVIEWER.EXE; APT.EXE; APM.EXE; WIRESHARK.EXE; SPYBOTSD.EXE;
      TEATIMER.EXE; SPYBOTSD160.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE;
      PG2.EXE; LORDPE.EXE; ICESWORD.EXE; REANIMATOR.EXE; ROOTKITNO.EXE;
      RKD.EXE; HACKMON.EXE; UNHACKME.EXE; ROOTKIT_DETECTIVE.EXE;
      AVGARKT.EXE; FSB.EXE; FSBL.EXE; ROOTKITREVEALER.EXE; PSKILL.EXE;
      TASKMON.EXE; TASKLIST.EXE; TASKMAN.EXE; PROCEXP.EXE; MSNFIX.EXE;
      HIJACKTHIS_V2.EXE; HIJACKTHIS.EXE; HIJACKTHIS_SFX.EXE; HJTSETUP.EXE;
      HJTINSTALL.EXE; OLLYDBG.EXE; NETSTAT.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; FPORT.EXE; APORTS.EXE; PAVARK.EXE; DARKSPY105.EXE;
      HELIOS.EXE; ROOTKITBUSTER.EXE; ROOTALYZER.EXE; BC5CA6A.EXE; SEEM.EXE;
      DELAYDELFILE.EXE; DUBATOOL_AV_KILLER.EXE; SUPERKILLER.EXE;
      KAKASETUPV6.EXE; BUSCAREG.EXE; MSNCLEANER.EXE; SRESTORE.EXE;
      BOOTSAFE.EXE; SUPERANTISPYWARE.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; CF9409.EXE; GMER.EXE;
      CATCHME.EXE; SDFIX.EXE; COMBOFIX.EXE; SRENGPS.EXE; AUTORUNS.EXE;
      TASKKILL.EXE; REG.EXE; MYPHOTOKILLER.EXE; KILLAUTOPLUS.EXE;
      FOLDERCURE.EXE; REGEDIT.SCR; REGEDIT.COM; TCPVIEW.EXE; LISTO.EXE;
      GUARD.EXE; NTVDM.EXE; COMMAND.COM; COMBOFIX.COM; COMBOFIX.SCR;
      COMBOFIX.BAT; COMBO-FIX.EXE; REGMON.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE;
      JAJA.EXE; AVZ.EXE; MBAM.EXE; MBAM-SETUP.EXE; PENCLEAN.EXE; ELISTA.EXE;
      HJ.EXE; WINDOWS-KB890930-V2.2.EXE; MRTSTUB.EXE; MRT.EXE;
      HIJACK-THIS.EXE; VIRUS.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      ATF-CLEANER.EXE; COMPAQ_PROPIETARIO.EXE; REGUNLOCKER.EXE;
      UNLOCKERASSISTANT.EXE; UNLOCKER.EXE; SRENGLDR.EXE; HOOKANLZ.EXE;
      UNLOCKER1.8.7.EXE

Inyectar el código viral en otros procesos – Se inyecta a sí mismo como hilo de ejecución remoto en un proceso.

Nombre del proceso:
• explorer.exe

Datos del fichero Lenguaje de programación:
El programa de malware ha sido escrito en Delphi.

Descripción insertada por Petre Galan el martes 23 de febrero de 2010
Descripción actualizada por Andrei Ivanes el martes 23 de febrero de 2010

Volver . . . .

Protección destacada para PC del hogar

Productos gratis

Más populares

Todos los productos

Paquetes de soluciones

Terminales

Server

Paquetes de soluciones

Puertas de enlace de correo

Puertas de enlace web

Plataformas de colaboración

Particulares

Empresas

Laboratorio de virus

Más soporte

Hágase socio de Avira

Particulares

Empresas

?Solo quiere evaluar un producto?

Manuales y herramientas