¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Date discovered:23/09/2012
Type:Backdoor Server
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
File size:18.944 Bytes
MD5 checksum:0A800A054ebbd515013de453fc3f501f
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Bitdefender: Trojan.Generic.8966001
   •  AVG: BackDoor.Generic16.CNMF
   •  Eset: a variant of MSIL/IRCBot.AS trojan
   •  Norman: W32/Troj_Generic.KHHOV

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008

Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • C:\winsrvc86.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "winsrvc86"="\\winsrvc86.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winsrvc86"="\\winsrvc86.exe"

The following registry keys are added:

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control]
   • "ActiveService"="TapiSrv"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control]
   • "ActiveService"="RasMan"

– [HKLM\SECURITY\Policy\Secrets\SAI]
   • @=hex:98,91,2c,47,d1,d1,cc,01

– [HKLM\SECURITY\Policy\Secrets\SAC]
   • @=hex:f2,f3,2e,47,d1,d1,cc,01

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • 231.231.1**********.188

 File details Programming language:
The malware program was written in MS Visual C#.

Descripción insertada por Wensin Lee el jueves, 18 de abril de 2013
Descripción actualizada por Wensin Lee el jueves, 18 de abril de 2013

Volver . . . .