¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Nombre:TR/Dldr.Geral.vng
Descubierto:16/02/2011
Tipo:Troyano
Subtipo:Downloader
En circulacin (ITW):S
Nmero de infecciones comunicadas:Medio-bajo
Potencial de propagacin:Bajo
Potencial daino:Medio-bajo
Fichero esttico:S
Tamao:39.839 Bytes
Suma de control MD5:9b0c12025217508a1436683efa4faab5
Versin del VDF:7.10.08.215
Versin del IVDF:7.11.03.121 - miércoles 16 de febrero de 2011

 General Alias:
   •  Kaspersky: Trojan-Downloader.Win32.Geral.vng
   •  Sophos: Troj/Mdrop-DGX
   •  Bitdefender: Trojan.Agent.AQSO
   •  Panda: W32/Spamta.gen.worm
     GData: Trojan.Agent.AQSO


Plataformas / Sistemas operativos:
   • Windows 2000
   • Windows XP
   • Windows 2003


Efectos secundarios:
   • Suelta ficheros dainos
   • Modificaciones en el registro

 Ficheros Se copia a s mismo en la siguiente ubicacin:
   • %SYSDIR%\kav.exe



Elimina la copia inicial del virus.



Elimina los siguientes ficheros:
   • %PROGRAM FILES%\ATI\amdk8.sys
   • %SYSDIR%\ccte1sto.dat
   • %PROGRAM FILES%\ATI\amdk8.dll
   • %TEMPDIR%\DogKiller.sys
   • %TEMPDIR%\360data.tmp
   • %PROGRAM FILES%\ATI\amdk8.inf



Crea los siguientes ficheros:

%WINDIR%\INF\oem14.inf Este es un fichero de texto que no presenta riesgo alguno e incluye el siguiente contenido:
   • %cdigo que ejecuta malware%

%PROGRAM FILES%\ATI\amdk8.inf Este es un fichero de texto que no presenta riesgo alguno e incluye el siguiente contenido:
   • %cdigo que ejecuta malware%

%PROGRAM FILES%\ATI\amdk8.sys Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: Rkit/Agent.bhyh

%SYSDIR%\ccte1sto.dat Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: TR/Spy.16896.75

%SYSDIR%\DRIVERS\amdk8.sys Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: Rkit/Agent.bhyh

%WINDIR%\INF\oem14.PNF
%TEMPDIR%\DogKiller.sys Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: TR/Expl.Agent.ed

%TEMPDIR%\updata.exe Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: TR/Dldr.Geral.uni

%TEMPDIR%\360data.tmp
%PROGRAM FILES%\ATI\amdk8.dll Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: TR/Killav.gox

%TEMPDIR%\ope7.tmp



Intenta ejecutar los ficheros siguientes:

Ejecuta uno de los ficheros siguientes:
   • "%SYSDIR%\sc.exe" config PolicyAgent start= auto


Ejecuta uno de los ficheros siguientes:
   • "%SYSDIR%\sc.exe" stop PolicyAgent


Ejecuta uno de los ficheros siguientes:
   • "%SYSDIR%\sc.exe" start PolicyAgent


Ejecuta uno de los ficheros siguientes:
   • runonce -r


Ejecuta uno de los ficheros siguientes:
   • %TEMPDIR%\updata.exe

 Registro Aade la siguiente clave del registro para ejecutar el proceso al iniciar el sistema:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "kav"="%SYSDIR%\kav.exe"



Aade las siguientes claves al registro:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safe.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\safeboxTray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kmailmon.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccapp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctor.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kxesapp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcshield.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcupdmgr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DrvAnti.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kxedefend.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\alg.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360delays.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcnasvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ScanFrm.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kxetray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcsysmon.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FrameworkService.exe]
   • "Debugger"="rundll32.exe"

[HKLM\System\CurrentControlSet\Control\Class\
   {82521385-84B9-4AB3-9BC1-B9BD2DD3021A}]
   • "@"="Class for amdk8 devices"
   • "Class"="amdk8"
   • "Icon"="-18"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kxeserv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\XsClient.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPfwSvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\antiarp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctorRtp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rssafety.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rtvscan.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\xcommsvr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcagent.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\egui.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\engineserver.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC1.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rp.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KISSvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DrUpdate.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360SoftMgrSvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KABackReport.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\qutmserv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360realpro.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AgentSvr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\udaterui.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMon.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcshell.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwsrv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360Safebox.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nbmanti.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC2.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MpfSrv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPMon.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kwstray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\defwatch.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegGuide.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\upsvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KSafeTray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rsnetsvr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcmscsvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsTray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kaccore.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDrNetMon.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KSafeSvc.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vstskmgr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zhudongfangyu.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KSWebShield.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavStub.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\naPrdMgr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McProxy.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SHSTAT.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McTray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mfeann.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KavStart.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SYSTEM\CurrentControlSet\Control\Class\
   {82521385-84B9-4AB3-9BC1-B9BD2DD3021A}\0000]
   • "DriverDate"="6-23-2010"
   • "DriverDateData"=hex:00,C0,E4,05,67,12,CB,01
   • "DriverDesc"="amdk8 Device"
   • "DriverVersion"="1.0.0.0"
   • "InfPath"="oem14.inf"
   • "InfSection"="amdk8_DDI"
   • "InfSectionExt"=".NT"
   • "MatchingDeviceId"="*amdk8device"
   • "ProviderName"="Microsoft"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360sd.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vptray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mfevtps.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccEvtMgr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcinsupd.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\LiveUpdate360.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSetMgr.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DSMain.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kxescore.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kppserv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPPTray.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\livesrv.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Uplive.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rav.exe]
   • "Debugger"="rundll32.exe"



Modifica la siguiente clave del registro:

[HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList]
   Nuevo valor:
   • "Extended Base"=hex:0B,00,00,00,01,00,00,00,02,00,00,00,04,00,00,00,03,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,00,00,09,00,00,00,0A,00,00,00,0B,00,00,00

 Inyectar el cdigo viral en otros procesos Se inyecta como un hilo de ejecucin remoto en un proceso.

    Nombre del proceso:
   • sc.exe


 Informaciones diversas Accede a recursos de Internet:
   • http://124.232.147.3:84/**********


Objeto mutex:
Crea el siguiente objeto mutex:
   • ACDTEST......

 Datos del fichero Lenguaje de programacin:
El programa de malware ha sido escrito en MS Visual C++.


Programa de compresin de ejecutables:
Para agravar la deteccin y reducir el tamao del fichero, emplea un programa de compresin de ejecutables.

Descripción insertada por Petre Galan el viernes 15 de abril de 2011
Descripción actualizada por Petre Galan el viernes 15 de abril de 2011

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.