Description complète

Nume:	Joke/Renos.W
Descoperit pe data de:	31/10/2005
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	28.160 Bytes
MD5:	fa7582def8348c22b69a4bb360eff64b
Versiune VDF:	6.32.00.117

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Mcafee: Downloader-AFH
   • Kaspersky: not-virus:Hoax.Win32.Renos.s

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Descarca un fisier
   • Creeaza un fisier
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarea locatie:
   • c:\winstall.exe

Sunt create fisierele:

– Fisiere inofensive:
   • C:\Program Files\SpySheriff\base.avd; C:\Program
      Files\SpySheriff\base001.avd; C:\Program Files\SpySheriff\base002.avd;
      C:\Program Files\SpySheriff\found.wav; C:\Program
      Files\SpySheriff\heur000.dll; C:\Program Files\SpySheriff\heur001.dll;
      C:\Program Files\SpySheriff\heur002.dll; C:\Program
      Files\SpySheriff\heur003.dll; C:\Program Files\SpySheriff\IESecurity.dll;
      C:\Program Files\SpySheriff\notfound.wav; C:\Program
      Files\SpySheriff\ProcMon.dll; C:\Program Files\SpySheriff\removed.wav;
      C:\Program Files\SpySheriff\SpySheriff.exe; C:\Program
      Files\SpySheriff\Uninstall.exe; C:\Program Files\SpySheriff\SpySheriff.dvm

– Creeaza o arhiva ce contine o copie malware:
   • %PROGRAM FILES%\asdfasdfasdfasdfasdfasdfasdfasdf

– %WINDIR%\desktop.html

Incearca sa descarce un fisier:

– Adresa este urmatoarea:
   • www.spy**********.com/trial.php?rest=0&ver=14087464&a=00000088
Fisierul este stocat pe hard disc la: %HOME%\Application Data\Install.dat In plus, acest fisier este executat dupa ce este descarcat de pe Internet.

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows installer"="c:\winstall.exe"

Valorile urmatoarelor chei sunt sterse din registrii sistemului:

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • pro

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • NoDesktop

Se sterg urmatoarele chei din registri, inclusiv toate valorile si cheile subordnate:
   • [HKCU\SOFTWARE\Install]
   • [HKCU\Software\Microsoft\Internet Explorer\Desktop\Components]
   • [HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0]

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\Internet Explorer\Desktop\Components]
   • "DeskHtmlVersion"=dword:00000110
   • "DeskHtmlMinorVersion"=dword:00000005
   • "Settings"=dword:00000001
   • "GeneralFlags"=dword:00000000

– [HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0]
   • "Source"="About:Home"
   • "SubscribedURL"="About:Home"
   • "FriendlyName"="My Current Home Page"
   • "Flags"=dword:00000002
   • "Position"=hex:%valori hex%
   • "CurrentState"=dword:40000004
   • "OriginalStateInfo"=hex:%valori hex%
   • "RestoredStateInfo"=hex::%valori hex%

Urmatoarele chei din registri sunt modificate:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "Wallpaper"="%setarile utilizatorului%"
   Noua valoare:
   • "Wallpaper"="%WINDIR%\desktop.html"

– [HKCU\Control Panel\Desktop]
   Vechea valoare:
   • "Pattern"="%setarile utilizatorului%"
   Noua valoare:
   • "Pattern"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoDriveTypeAutoRun"=dword:%setarile utilizatorului%
     "NoActiveDesktop"=dword:%setarile utilizatorului%
     "ClassicShell"=dword:%setarile utilizatorului%
     "ForceActiveDesktopOn"=dword:%setarile utilizatorului%
   Noua valoare:
   • "NoDriveTypeAutoRun"=dword:00000091
     "NoActiveDesktop"=dword:00000000
     "ClassicShell"=dword:00000000
     "ForceActiveDesktopOn"=dword:00000001

– [HKCU\Software\Microsoft\Internet Explorer\Desktop\General]
   Vechea valoare:
   • "WallpaperFileTime"=hex:%setarile utilizatorului%
     "WallpaperLocalFileTime"=hex:%setarile utilizatorului%
     "TileWallpaper"="%setarile utilizatorului%"
     "WallpaperStyle"="%setarile utilizatorului%"
     "ComponentsPositioned"=dword:%setarile utilizatorului%
   Noua valoare:
   • "WallpaperFileTime"=hex:be,a1,a0,ff,22,de,c5,01
     "WallpaperLocalFileTime"=hex:be,71,29,c3,33,de,c5,01
     "TileWallpaper"="0"
     "WallpaperStyle"="2"
     "ComponentsPositioned"=dword:00000002

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   ActiveDesktop]
   Vechea valoare:
   • "NoChangingWallpaper"=dword:%setarile utilizatorului%
     "NoComponents"=dword:%setarile utilizatorului%
     "NoAddingComponents"=dword:%setarile utilizatorului%
     "NoDeletingComponents"=dword:%setarile utilizatorului%
     "NoEditingComponents"=dword:%setarile utilizatorului%
     "NoHTMLWallPaper"=dword:%setarile utilizatorului%
   Noua valoare:
   • "NoChangingWallpaper"=dword:00000000
     "NoComponents"=dword:00000000
     "NoAddingComponents"=dword:00000000
     "NoDeletingComponents"=dword:00000000
     "NoEditingComponents"=dword:00000000
     "NoHTMLWallPaper"=dword:00000000

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).

Description insérée par Iulia Diaconescu le mardi 1 novembre 2005
Description mise à jour par Iulia Diaconescu le lundi 12 décembre 2005

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils