Description complète

Nume:	TR/Agent.AAL
Descoperit pe data de:	22/09/2006
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	69.632 Bytes
MD5:	4ed6f7364206b0ae28e1cc439102ce5b
Versiune VDF:	6.36.00.49
Versiune IVDF:	6.36.00.60 - mardi 26 septembre 2006

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Mcafee: Kimat

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza un fisier
   • Creeaza fisiere malware
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:

Fisiere Se copiaza in urmatoarele locatii:
   • %SYSDIR%\ISASS.exe
   • %WINDIR%\Resources\Empty.bat
   • %WINDIR%\Media\msconfig.bat
   • %WINDIR%\security\kernel32.bat
   • %WINDIR%\system32.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Temp.pif
   • %SYSDIR%\LNETINFO.exe
   • %HOME%\My Documents\Data %numele computerului%.exe
   • %SYSDIR%\Kiamat.exe
   • %HOME%\My Documents\%toate subdirectoarele%\%directorul curent%.exe

Este creat fisierul:

– %WINDIR%\security\ms.inf

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "msconfig"="%WINDIR%\Media\msconfig.bat"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Kiamat Sudah Dekat_16_04"="%SYSDIR%\ISASS.exe"

Se adauga in registrii sistemului:

– HKCU\Software\Policies\Microsoft\CurrentVersion\Policies\Explorer
   • "NoFind"=dword:00000001

Urmatoarele chei din registri sunt modificate:

Dezactivarea programelor Regedit si Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Vechea valoare:
   • "Shell"="Explorer.exe"
   Noua valoare:
   • "Shell"="Explorer.exe "%WINDIR%\Resources\Empty.bat""

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Noua valoare:
   • "DisableCMD"=dword:00000001

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Description insérée par Teodor Onisor le mardi 24 octobre 2006
Description mise à jour par Oliver Auerbach le mercredi 25 octobre 2006

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils