¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:TR/Injector.LO
Date discovered:25/04/2012
Type:Trojan
In the wild:No
Reported Infections:High
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:67.072 Bytes
MD5 checksum:b2b0c8d66ef083810Bcf5f54e15ee806
VDF version:7.11.28.152
IVDF version:7.11.28.152

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Inject.dzsp
   •  Grisoft: SHeur4.AAYW
   •  Eset: Win32/Trustezeb.A
   •  GData: Trojan.Injector.ADI
   •  Norman: Trojan W32/Suspicious_Gen4.ACYPJ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %APPDATA%\Realtec\Realtecdriver.exe
   • %APPDATA%\Qvmh\C10199CBD8812EB1F92D.exe
   • %TEMP%\%10 digit random character string% .pre
   • %SYSDIR%\3E5D1393D8812EB16C61.exe



It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Realtecdriver"="%APPDATA\Realtec\Realtecdriver.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\3E5D1393D8812EB16C61.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "D8812EB1"="%APPDATA\Qvmh\C10199CBD8812EB1F92D.exe"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%TEMP%\%10 digit random character string% .pre;"

 Injection – It injects itself into a process.

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • http://**********-a.com/**********.php?id=D8812EB1434E41564549&cmd=img
   • http://**********-a.com/**********.php?id=D8812EB1434E41564549&cmd=lfk&data=uJXbykvbhoZH1VxnSk0wIYg6TtL2zhzZ


Event handler:
It creates the following Event handlers:
   • CreateService
   • StartService
   • CreateRemoteThread
   • HttpOpenRequest
   • FtpOpenFile
   • InternetOpenUrl
   • InternetOpen
   • GetDriveType
   • CreateFile
   • CreateToolhelp32Snapshot
   • ShellExecute

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descripción insertada por Wensin Lee el jueves, 26 de abril de 2012
Descripción actualizada por Matthias Schlindwein el jueves, 26 de abril de 2012

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.