¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:Worm/Autorun.bgjc
Date discovered:03/05/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:5507d7602b6afb61dbd8787e9a16e80c
IVDF version:7.10.07.21 - Monday, May 3, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Sophos: Mal/VBInject-T
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8011


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %TEMPDIR%\lssas.exe
   • %drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\365345.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\Desktop.ini



It tries to executes the following files:

Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\lssas.exe WindowsSafety ENABLE


Filename:
   • taskkill /IM winlog.exe


Filename:
   • taskkill /IM svchost.exe


Filename:
   • taskkill /IM csrss.exe


Filename:
   • taskkill /IM lsass.exe


Filename:
   • "%TEMPDIR%\lssas.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "MicrosoftCorp"="%TEMPDIR%\lssas.exe"



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%TEMPDIR%\lssas.exe"="%TEMPDIR%\lssas.exe:*:Enabled:Windows Defense"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: stores.del**********.net
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

Server: bb.ceg**********.org
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

 File details Programming language:
The malware program was written in Visual Basic.

Descripción insertada por Petre Galan el jueves 24 de junio de 2010
Descripción actualizada por Petre Galan el jueves 24 de junio de 2010

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.