Description complète

Nume:	TR/PSW.WOW.FL
Descoperit pe data de:	16/08/2006
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	46.593 Bytes
MD5:	ef6d2a817015475d18dd6ae45f95c332
Versiune VDF:	6.35.01.99
Versiune IVDF:	6.35.01.100 - mercredi 16 août 2006

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Kaspersky: Trojan-PSW.Win32.WOW.fl
   • TrendMicro: TSPY_WOW.KG
   • Bitdefender: Trojan.PWS.WOW.AD

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier
   • Creeaza un fisier malware
   • Modificari in registri
   • Sustrage informatii

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\Debug\DebugProgram.exe
   • %WINDIR%\System32\regedit.com
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\MSCONFIG.COM
   • d:\pagefile.pif
   • %WINDIR%\ExERoute.exe
   • %WINDIR%\1.com
   • %WINDIR%\explorer.com
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • %PROGRAM FILES%\Common Files\iexplore.com
   • %WINDIR%\finder.com
   • %SYSDIR%\command.pif
   • %SYSDIR%\finder.com
   • %SYSDIR%\rundll32.com
   • %WINDIR%\WINLOGON.EXE

Este creat fisierul:

– D:\autorun.inf Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/PSW.WOW.CJ

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Torjan Program"="%WINDIR%\WINLOGON.EXE"

Urmatoarele chei sunt adaugate in registrii sistemului:

– HKCU\Software\VB and VBA Program Settings\Microsoft Soft Debuger\
   Settings
   • "GUID"="{%CLSID%}"

– HKCR\.exe
   • "(Default)"="winfiles"

– HKCR\winfiles\Shell\Open\Command
   • "(Default)"="%WINDIR%\ExERoute.exe "%1" %*"

– HKCR\winfiles\DefaultIcon
   • "(Default)"="%1"

– HKCR\winfiles
– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   • "Shell"="Explorer.exe 1"

– HKCR\Drive\shell\find\command
   • "(Default)"="%SystemRoot%\explorer.com"

– HKCR\http\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" -nohome"

– HKCR\htmlfile\shell\opennew\command
   • "(Default)"=""%PROGRAM FILES%\common files\iexplore.pif" %1"

– HKCR\ftp\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– HKCR\Applications\iexplore.exe\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– HKCU\Software\Microsoft\Internet Explorer\Main
   • "Check_Associations"="No"

– HKCR\htmlfile\shell\open\command
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– HKCR\Unknown\shell\openas\command
   • "(Default)"="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

– HKCR\telnet\shell\open\command
   • "(Default)"="finder.com url.dll,TelnetProtocolHandler %l"

– HKCR\scriptletfile\Shell\Generate Typelib\command
   • "(Default)"=""%SYSDIR%\finder.com" %SYSDIR%\scrobj.dll,GenerateTypeLib "%1""

– HKCR\scrfile\shell\install\command
   • "(Default)"="finder.com desk.cpl,InstallScreenSaver %l"

– HKCR\InternetShortcut\shell\open\command
   • "(Default)"="finder.com shdocvw.dll,OpenURL %l"

– HKCR\inffile\shell\Install\command
   • "(Default)"="%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

– HKCR\htmlfile\shell\Print\command
   • "(Default)"=""%PROGRAM FILES%\Microsoft Office\Office10\msohtmed.exe" /p %1"

– HKCR\dunfile\shell\open\command
   • "(Default)"="%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

– HKCR\cplfile\shell\cplopen\command
   • "(Default)"="rundll32.com shell32.dll,Control_RunDLL %1,%*"

– HKCR\.bfc\ShellNew
   • "command"="%SystemRoot%\system32\rundll32.com %SystemRoot%\system32\syncui.dll,Briefcase_Create %2!d! %1"

– HKCR\.lnk\ShellNew
   • "command"="rundll32.com appwiz.cpl,NewLinkHere %1"

– HKCU\Software\Microsoft\Visual Basic\5.0

Terminarea proceselor Lista cu procesele oprite:
• RAVMON.EXE; TROJDIE; KPOP; CCENTER; ASSISTSE; KPFW; AGENTSVR; KREG;
IEFIND; IPARMOR; SVI.EXE; UPHC; RULEWIZE; FYGT; RFWSRV; RFWMA

Furt de informatii Incearca sa obtina urmatoarele informatii:

– Parolele din urmatoarele programe:
   • World of Warcraft
   • The Legend of Mir

– Este pornita o rutina de logare dupa ce viziteaza un site care contine unul din urmatoarele siruri de caractere in URL:
   • us.logon.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Marius T. Nicolae le mardi 12 septembre 2006
Description mise à jour par Andrei Ivanes le jeudi 5 octobre 2006

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils