¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Date discovered:03/05/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:5507d7602b6afb61dbd8787e9a16e80c
IVDF version: - Monday, May 3, 2010

 General Method of propagation:
   • Autorun feature

   •  Sophos: Mal/VBInject-T
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8011

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %TEMPDIR%\lssas.exe
   • %drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\365345.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%


It tries to executes the following files:

– Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\lssas.exe WindowsSafety ENABLE

– Filename:
   • taskkill /IM winlog.exe

– Filename:
   • taskkill /IM svchost.exe

– Filename:
   • taskkill /IM csrss.exe

– Filename:
   • taskkill /IM lsass.exe

– Filename:
   • "%TEMPDIR%\lssas.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "MicrosoftCorp"="%TEMPDIR%\lssas.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%TEMPDIR%\lssas.exe"="%TEMPDIR%\lssas.exe:*:Enabled:Windows Defense"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: stores.del**********.net
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

Server: bb.ceg**********.org
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

 File details Programming language:
The malware program was written in Visual Basic.

Descripción insertada por Petre Galan el jueves 24 de junio de 2010
Descripción actualizada por Petre Galan el jueves 24 de junio de 2010

Volver . . . .