¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:TR/PSW.Zbot.258048.270
Date discovered:14/01/2013
Type:Trojan
Subtype:PSW
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:255344 Bytes
MD5 checksum:fa3bc1fd5c27206c47492c6ca5fcfaf4
VDF version:7.11.57.60 - Monday, January 14, 2013
IVDF version:7.11.57.60 - Monday, January 14, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Bitdefender: Gen:Variant.Graftor.64261
   •  Eset: Win32/Kryptik.ARZP
     DrWeb: Trojan.PWS.Panda.2401


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %Appdata%\%six-digit random character string%\%five-digit random character string%.exe



It deletes the initially executed copy of itself.



The following files are created:

%Appdata%\%five-digit random character string%\%five-digit random character string%.%three-digit random character string%
%TEMPDIR%\tmp%eight-digit random character string%.bat Furthermore it gets executed after it was fully created.

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\Currentversion\Run]
   • "Adabcovofo"="%Appdata%\\%six-digit random character string% \\%5 random character string%.exe\"



The following registry key is added:

[HKCU\Software\Microsoft\Avgu]


The following registry keys are changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   Old value:
   • "1609"=dword:00000001
   • "1406"=dword:00000001
   New value:
   • "1609"=dword:00000000
   • "1406"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   Old value:
   • "1609"=dword:00000001
   New value:
   • "1609"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   Old value:
   • "1406"=dword:00000003
   • "1609"=dword:00000001
   New value:
   • "1406"=dword:00000000
   • "1609"=dword:00000000

 Injection     Process name:
   • Explorer.exe


 Miscellaneous Trusted file pretending:
Its process pretends to be the following trusted process: NTSD.Exe
Please note that the malware even fakes the icon. As a result it appears to be the above mentioned process.

Descripción insertada por Wensin Lee el miércoles 16 de enero de 2013
Descripción actualizada por Wensin Lee el miércoles 16 de enero de 2013

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.