Description complète

Nume:	TR/Vb.akv
Descoperit pe data de:	18/05/2006
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu spre ridicat
Fisier static:	Da
Marime:	188.416 Bytes
MD5:	fdd2e621aca76fd503535376e4063118
Versiune VDF:	6.34.01.99
Versiune IVDF:	6.34.01.101 - jeudi 18 mai 2006

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Kaspersky: Trojan.Win32.VB.akz
   • F-Secure: Trojan.Win32.VB.akz
   • Eset: Win32/VB.AKZ
   • Bitdefender: Trojan.Vb.AKZ

Efecte secundare:
   • Inchide aplicatiile de securitate
   • Creeaza un fisier
   • Reduce setarile de securitate
   • Modificari in registri

Imediat dupa lansarea in executie, pe ecran este afisat:

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\jjakarta.exe
   • %HOME%\My Documents\ttrans.exe
   • %SYSDIR%\ooke.exe
   • %directorul curent%\%numele directorului curent%.exe

Sterge urmatoarele fisiere:
   • %directorul curent%\*.exe
   • %directorul curent%\*.txt
   • %directorul curent%\*.com
   • %directorul curent%\*.reg
   • %directorul curent%\*.inf
   • %directorul curent%\*.rar

Sunt create fisierele:

– Un fisier temporar care poate fi sters dupa aceea:
   • %TEMPDIR%\~%numar hexazecimal%.tmp

– %HOME%\My Documents\Baca.html

Registrii sistemului Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCU\Software\Microsoft\MS Setup (ACME)]
– [HKCU\Software\Microsoft\MS Setup (ACME)\User Info]
   • "DefCompany"="Terima kasih kepada Vaksin.Com"
   • "DefName"="Terima kasih kepada Vaksin.Com"

Urmatoarele chei din registri sunt modificate:

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Vechea valoare:
   • "FullPath"=%setarile utilizatorului%
   Noua valoare:
   • "FullPath"=dword:00000001

Diverse setari in Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Vechea valoare:
   • "FullPath"=%setarile utilizatorului%
   Noua valoare:
   • "FullPath"=dword:00000001

– [HKCR\Directory]
   Vechea valoare:
   • "InfoTip"="prop:DocComments"
   Noua valoare:
   • "InfoTip"=""
   • "TileInfo"=""

– [HKCR\Directory\DefaultIcon]
   Vechea valoare:
   • @="%SystemRoot%\System32\shell32.dll,3"
   Noua valoare:
   • @="%WINDIR%\jjakarta.exe"

– [HKCR\Folder]
   Vechea valoare:
   • "TileInfo"="prop:Size"
   Noua valoare:
   • "TileInfo"=""
   • "InfoTip"=""

– [HKCR\Folder\DefaultIcon]
   Vechea valoare:
   • @="%SystemRoot%\System32\shell32.dll,3"
   Noua valoare:
   • @="%WINDIR%\jjakarta.exe"

– [HKCR\exefile]
   Vechea valoare:
   • @="Application"
   • "TileInfo"="prop:FileDescription;Company;FileVersion"
   • "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
   Noua valoare:
   • @="File Folder"
   • "TileInfo"=""
   • "InfoTip"=""
   • "NeverShowExt"=""

– [HKCR\txtfile\shell\open\command]
   Vechea valoare:
   • @="%SystemRoot%\system32\NOTEPAD.EXE %1"
   Noua valoare:
   • @="%SYSDIR%\OOKE.EXE %1"

Diverse setari in Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "HideFileExt"=%setarile utilizatorului%
   • "ClassicViewState"=%setarile utilizatorului%
   • "SuperHidden"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "HideFileExt"=dword:00000001
   • "ClassicViewState"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "HideFileExt"=%setarile utilizatorului%
   • "SuperHidden"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   • "ClassicViewState"=%setarile utilizatorului%
   Noua valoare:
   • "HideFileExt"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000000
   • "ClassicViewState"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Noua valoare:
   • "DisableCAD"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Vechea valoare:
   • "AntiVirusDisableNotify"=%setarile utilizatorului%
   • "FirewallDisableNotify"=%setarile utilizatorului%
   • "UpdatesDisableNotify"=%setarile utilizatorului%
   • "AntiVirusOverride"=%setarile utilizatorului%
   • "FirewallOverride"=%setarile utilizatorului%
   Noua valoare:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000000
   • "FirewallOverride"=dword:00000000

Dezactivarea programelor Regedit si Task Manager:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

Dezactivarea programelor Regedit si Task Manager:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Microsoft\Windows\
   CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Microsoft\Windows\
   CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
   Vechea valoare:
   • "RegisteredOrganization"=%setarile utilizatorului%
   • "RegisteredOwner"=%setarile utilizatorului%
   Noua valoare:
   • "RegisteredOrganization"="Terima kasih kepada Vaksin.Com"
   • "RegisteredOwner"="Terima kasih kepada Vaksin.Com"

Diverse setari in Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
   Vechea valoare:
   • "NoFind"=%setarile utilizatorului%
   • "NoRun"=%setarile utilizatorului%
   Noua valoare:
   • "NoFind"=dword:00000001
   • "NoRun"=dword:00000001

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoFind"=%setarile utilizatorului%
   • "NoRun"=%setarile utilizatorului%
   Noua valoare:
   • "NoFind"=dword:00000001
   • "NoRun"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="explorer.exe"
   Noua valoare:
   • "Shell"="explorer.exe jjakarta.exe"

Terminarea proceselor Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
• windows task manager
• search results

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Description insérée par Adriana Popa le vendredi 24 novembre 2006
Description mise à jour par Adriana Popa le vendredi 24 novembre 2006

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils