Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Nom:Worm/Kolabc.hqm
La date de la dcouverte:23/12/2009
Type:Ver
En circulation:Oui
Infections signales Faible
Potentiel de distribution:Faible a moyen
Potentiel de destruction:Moyen
Fichier statique:Oui
Taille du fichier:171.795 Octets
Somme de contrle MD5:cc88f4f016cb52cceb6d9acfe271e233
Version IVDF:7.10.02.56 - mercredi 23 décembre 2009

 Gnral Mthode de propagation:
    Autorun feature (fr)
   • Le rseau local


Les alias:
   •  Mcafee: W32/Spybot.worm
   •  Sophos: Mal/Behav-004
   •  Panda: W32/Kolabc.AF
   •  Eset: Win32/Hatob.E
   •  Bitdefender: Trojan.Agent.ANTD


Plateformes / Systmes d'exploitation:
   • Windows 2000
   • Windows XP
   • Windows 2003


Effets secondaires:
   • Il cre des fichiers malveillants
   • Il diminue les rglages de scurit
   • Il modifie des registres
   • Il vole de l'information
   • Il facilite l'accs non autoris l'ordinateur

 Fichiers Il s'autocopie dans les emplacements suivants:
   • %WINDIR%\Fonts\unwise_.exe
   • \RECYCLER\%CLSID%\unwise_.exe



Le fichier suivant est cr:

\autorun.inf Ceci est un fichier texte non malveillant avec le contenu suivant:
   •

 Registre La cl de registre suivante est ajoute afin de lancer le processus aprs le redmarrage:

[HKLM\SYSTEM\CurrentControlSet\Services\Windows Hosts Controller]
   • "Description"="Enables Windows Host Controller Service. This service cannot be stopped."
   • "DisplayName"="Windows Hosts Controller"
   • "ErrorControl"=dword:0x00000000
   • "FailureActions"=hex:0A,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,2E,00,73,00,01,00,00,00,B8,0B,00,00
   • "ImagePath"=""%WINDIR%\Fonts\unwise_.exe""
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000110



Les cls de registre suivantes sont ajoute:

[HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

[HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\
   Windows File Protection]
   • "SFCDisable"=dword:0xffffff9d
   • "SFCScan"=dword:0x00000000

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001



Les cls de registre suivantes sont changes:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   La nouvelle valeur:
   • "intime"="04/01/2010, 08:57 AM"
   • "msgone"="%le fichier excut%"
   • "reup"=dword:0x00000475

[HKLM\SYSTEM\CurrentControlSet\Control]
   La nouvelle valeur:
   • "WaitToKillServiceT"="5000"

[HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   La nouvelle valeur:
   • "AutoShareServer"=dword:0x00000001
   • "AutoShareWks"=dword:0x00000001
   • "SizReqBuf"=dword:0x00004000

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   La nouvelle valeur:
   • "restrictanonymous"=dword:0x00000001

[HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   La nouvelle valeur:
   • "AllowUserRawAccess"=dword:0x00000001
   • "DefaultTTL"=dword:0x00000040
   • "EnablePMTUBHDetect"=dword:0x00000000
   • "EnablePMTUDiscovery"=dword:0x00000001
   • "GlobalMaxTcpWindowSize"=dword:0x0003ebc0
   • "LargeBufferSize"=dword:0x000c8000
   • "MaxUserPort"=dword:0x0000fffe
   • "SackOpts"=dword:0x00000001
   • "StrictTimeWaitSeqCheck"=dword:0x00000001
   • "Tcp1323Opts"=dword:0x00000001
   • "TcpMaxDupAcks"=dword:0x00000002
   • "TcpNumConnections"=dword:0x00fffffe
   • "TcpTimedWaitDelay"=dword:0x0000001e
   • "TcpWindowSize"=dword:0x0003ebc0

[HKLM\SOFTWARE\Microsoft\Ole]
   La nouvelle valeur:
   • "EnableDCOM"="N"

[HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   La nouvelle valeur:
   • "DisableRawSecurity"=dword:0x00000001

Dsactive le Pare-feu du Windows:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   La nouvelle valeur:
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000
   • "EnableFirewall"=dword:0x00000000

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   La nouvelle valeur:
   • "DisableNotifications"=dword:0x00000001
   • "DoNotAllowExceptions"=dword:0x00000000
   • "EnableFirewall"=dword:0x00000000

 Programme de messagerie Il se rpand par l'intermdiaire du programme de messagerie. Les caractristiques sont dcrites ci-dessous:

 MSN Messenger

Le URL se rapporte alors une copie du malware dcrit. Si l'utilisateur tlcharge et excute ce fichier le procd d'infection commencera encore.

 Infection du rseau Afin de assurer sa propagation, le malware essaye de se connecter d'autres machines comme dcrit ci-dessous.


Il emploie les informations d'identification suivantes afin de gagner accs la machine distante:

Une liste de noms d'utilisateurs et de mots de passe:
   • zxcv; zxc; zap; yxcv; youwontguessme; xyzzy; xyz; xxxxxxxxx; xxxxxxxx;
      xxxxxxx; xxxxx; xx; xp; win2k; win; wired; winxp; winston; winpass;
      winnt; wing; wine; windozexp; windozeME; windoze98; windoze95;
      windoze2k; windoze; WindowsXP; windowsME; windows98; windows95;
      windows2k; windows; windose; Win2KPro; fnc; vps; virus; USA; sqlpass;
      sql; Serveur; students; slave; secrets; secret; sysadmin; support;
      security; school; sa; userpass; username; usermane; user1; trojan;
      testing; tester; test123; Test; rooted; remote; r00t; blink182;
      qwerty; qwert; qwer; qwe; pwd; pw123; pw; password123; password1;
      Password; PASSWORD; password; passwd; pass1234; pass123; pass; owned;
      own; NULL; myvps; mssql; mysql; M$; mypc123; mypc; mypass123; mypass;
      MS; machine; microsoft; myvnc; loginpass; LOCAL; login; Unix; l33t;
      l337; letmein; hax; hacked; guessme; guess; fuckyou; fucked;
      education; EDU; U*; domainpassword; smbpass; smb; dbpass; db1234;
      desktop; dead; dave; databasepassword; database; daemon; defaultpass;
      closed; closed!; customer; changeme!; changeme; changethis; change;
      apache; anything; account?; abc123; abc; abcd; asdf; AAAA; aussie;
      88888888; 654321; 54321; 123qwe; 123asd; 123abc; 1234qwer; 123467890;
      12346789; 1234678; 123467; 12346; 123456789; 12345678; 1234567;
      123456; 12345; 1234; 123123; 123; 121212; 121; 12; 11111111; 111111;
      111; 110; 0wned; 0wn3d; 007; 00000000; 000000; 00000; 0000; 000; 00;
      %%%%%; %%%%; %%%; %%; !@; $%^&*; xXx; xxxx; xxx; aspnet69; aspnet;
      mailserver; Compaqblah; hallintovirkailijat; administrator; Access;
      admin123; admin; webserver; www; Kullan; FormationPLUS; vnc; BOSS;
      pc05; pc04; pc03; pc02; pc01; Professional; Serv-U FTP; serv-u;
      slimftp; lightHTTPD; warftpd; ftpd; proftpd; accounting; account;
      access; serveur ftp; michelle; myftp; mybox; msumer; Compaqsecret;
      Dell; IBM; Acer; m$; IPC; SMB; MS_USER; SMBUSER; fv; billgates; users;
      qaz; z1; aaa; aa; linux; unix; !@; $%^&; !@; $%^; !@; $%; !@; $; !@; ;
      !@; 31337; guest; box5; box4; box3; box2; box1; box; sudo; gameserver;
      game server; H-O; DR; exploited; DiVX-SERVER; DiVX; bill gates;
      Client05; Client04; Client03; Client02; Client01; Client; blah; 05;
      04; 03; 02; 01; ASP.NET; rdp; luna; liverpool; charlie; monkey;
      arsenal; thomas; master; Standard; httpd; apache server; root; owner;
      Admin1; ADMIN; admins; adm; SYSTEM; manager; serveur; Servidor;
      Utilizador; Server; default; Default; xxxxxx; Contgenerale;
      Amministratore; Hallintovirkailijat; Verwalter; Rendszergazda;
      Beheerder; Administracion; Administrat; Administrators;
      Administration; Administratori; Administratore; Administrador';
      Administratoro; Administrada; Administrateur; Administrador; Admin;
      Administrator



La vulnrabilit:
Il se sert des vulnrabilits suivantes:
 MS02-018 (Patch for Internet Information Service)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnrabilit dans Service de Serveur)
 La porte drobe Bagle (port 2745)
 La porte drobe NetDevil (port 903)
 La porte drobe Optix (port 3140)
 La porte drobe SubSeven (port 27347)


La cration des adresses IP:
Il cre des adresses IP alatoires tandis qu'il garde le premier octet de son propre adresse. Ensuite il essaye d'tablir une connexion avec les adresses cres.


Excution distance:
Il essaye de programmer une excution distance du malware, sur la machine nouvellement infecte. Par consquent il emploie la fonction NetScheduleJobAdd.

 IRC Afin de fournir des informations sur le systme et d'accs distance, il se connecte aux serveurs IRC suivants:

Serveur: cx10man.we**********.com
Port: 3305
Canal: #mm
Pseudonyme: P|%chane de caractres alatoire%

Serveur: fx010413.w**********.org

Serveur: gynoman.we**********.com

Serveur: g.0x**********.biz

Serveur: c010x1.c**********.cc

Serveur: commgr.c**********.cc

Serveur: telephone.dd.bl**********.be

Serveur: phonewire.dd.bl**********.be

Serveur: phonelogin.dd.bl**********.be

Serveur: ufospace.et**********.net

Serveur: theforums.bb**********.com

Serveur: cx10man.we**********.com

Serveur: fx010413.w**********.org

Serveur: gynoman.we**********.com

Serveur: g.0x**********.biz

Serveur: c010x1.c**********.cc

Serveur: commgr.c**********.cc

Serveur: telephone.dd.bl**********.be

Serveur: phonewire.dd.bl**********.be

Serveur: phonelogin.dd.bl**********.be

Serveur: ufospace.et**********.net

Serveur: theforums.bb**********.com

 Arrt de processus: La liste des processus qui sont termins:
   • SYSUPD.EXE; SVSHOST.EXE; SVCHOSTC.EXE; MSSMPP.EXE; WINDOWS12.EXE;
      DUP.EXE; NSECURITY.EXE; INSSVC.EXE; DOG.BAT; MSNET.BAT; ROOTKIT2.EXE;
      RUN_BOT.BAT.EXE; LOGONER.EXE; LOGDEC.EXE; WEBXGRAB.EXE; GG.EXE;
      WOLFF.EXE; HZ.EXE; WINPGA.EXE; WQRTUHX.EXE; DMI.EXE; RSPOOL.EXE;
      IRB.EXE; V1RG1N.EXE; ROPNC.EXE; XGUN.EXE; ADV693.EXE; JSSA.EXE;
      V1RGF.EXE; U.EXE; V1Rg1N.EXE; KA6BER.EXE; TEST.EXE; SCANS.EXE;
      SECURAQ.EXE; PS2M.EXE; OURNIK.EXE; O1O2O3O4.EXE; OF.EXE;
      TAMER.BAT.EXE; 5H7H8V6B1C5.EXE; DUAL.EXE; NXM.EXE; GT.EXE; NOPE.EXE;
      M.EXE; LOADADV735.EXE; ABO.EXE; LAM.EXE; BOX.EXE; HTRAN_V1.EXE;
      RSERVER.EXE; JOINED.EXE; HOOKIAT.EXE; UAY.EXE; OWNT.EXE; WNETWORK.EXE;
      WISHS.EXEWSEMGR.EXE; W32SIM.EXE; DISK10.EXE; WINCLEAN.EXE;
      WINUPPD.EXE; ISASS.EXE; WINIOGON.EXE; SPOOISV.EXE; VIDEOATI0.EXE;
      IS67538.EXE; BLKL.EXE; BULK.EXE; MSWDNS32.EXE; WINPKR.EXE;
      WINSNTE.EXE; EBAY.EXE; WANMPSVC.EXE; WEBMSN.EXE; SYSMGR64.EXE;
      WMISM23.EXE; WINUPDATERAR.EXE; WINSOCKET.EXE; SSQL.EXE; MSSQL32.EXE;
      SXOT.EXE; AKBOT.EXE; DC.EXE; DCZ.EXE; DCOMD.EXE; UNIVERSAL.EXE;
      UTILS32.EXE; R00TKIT.EXE; RK.EXE; ROOTKIT.EXE; T00LKIT.EXE;
      UPDATES.EXE; EXE32.EXE; EXE.EXE; DLLHST.EXE; WINDLL.EXE; GSEC.EXE;
      RUNBATCH.EXE; LOADER32.EXE; WEBEX.EXE; DOWNER.EXE; URX.EXE; PNP.EXE;
      ASN.EXE; URXBOT.EXE; FORBOT.EXE; AGOBOTSVC.EXE; WONK.EXE; PB.EXE;
      AG32.EXE; AGO.EXE; A.EXE; PHATBOT.EXE; AGOBOT3.EXE; AGOBOT.EXE;
      SYST3M33R.EXE; WEBDOWNLOADER.EXE; WEBX.EXE; XFTP.EXE; WINNET.EXE;
      WINREG32.EXE; CONVERTXDCCFILE.EXE; MSSERV.EXE; S0CKS.EXE; SOCKETS.EXE;
      SOX.EXE; SOCKS.EXE; CLASS101.EXE; 101.EXE; MSN.EXE; HAX.EXE; T.BAT;
      SDBOT05C.EXE; SDBOT05B.EXE; SD.EXE; SDBOT.EXE; IRXDCC.EXE; OFFER.EXE;
      IRBOT.EXE; IROFFER.EXE; RCC.EXE; WINMRT32.EXE; WINMRT.EXE;
      ANTISPY.EXE; MSANTISPY.EXE; DRWEB32.EXE; KEYLOGG.EXE; KEYLOG.EXE;
      KEYLOGGER.EXE; RDRBS073.EXE; BDCLI073.EXE; HXDEF073.EXE; HXGOLD.EXE;
      HXDOFENA.EXE; RDRBS100.EXE; BDCLI100.EXE; HXDEF100.EXE; XD.EXE;
      XDCCKIT.EXE; KIT.EXE; RUNTHIS.EXE; DIABL0.EXE; DIABLO.EXE; 6.EXE;
      1.EXE; OWNED.EXE; OMFGLOL.EXE; DOOR.EXE; BD.EXE; SUB7.EXE; TROJAN.EXE;
      HONEY.EXE; ROO32.EXE; ROO.EXE; SYSD32.EXE; ANTIBOTTY.EXE; SELEBEK.EXE;
      SEBEK.EXE; HONEYWALL.EXE; HONEYD.EXE; VIRUS32.EXE; VIRUS.EXE; TQ.EXE;
      BEAST.EXE; ACC3PT.EXE; MYKRALOR.EXE; KRALOR.EXEHAXOR.EXE;
      WINSLAVE.EXE; SLAVE32.EXE; SLAVE.EXE; WINMASTER.EXE; DFTPD.EXE;
      TEMP.EXE; STUB.EXE; WRAPPER.EXE; RDR32.EXE; CIAO.EXE; XTC.EXE;
      WSG32.EXE; RADMIN22.EXE; RADMIN21.EXE; RVIEW.EXE; NI.EXE;
      TASKHIDER.EXE; MSWIN32; FOODS.EXE; POSTCARD.EXE; MSDEV32.EXE;
      RUN0NCE.EXE; SPOOLS32.EXE; SPOOL32.EXE; CRSS32.EXE; IEXPLOREE.EXE;
      QQ.EXE; WINDOWS_UPDATER01.EXE; ADDIQ32.EXE; SYSINFO.EXE;
      WUAMKOPPNP.EXE; SCRH0ST.EXE; SVCH0ST32.EXE; SVHOSTS.EXE; SVHOST.EXE;
      IEXPL0RE.EXE; SVC.EXE; ZF.EXE; ZFR.EXE; WINS32.EXE; WUAMGRE.EXE;
      SCRHOST32.EXE; SASSERE.EXE; SASSER.EXE; BLAST.EXE; MSBLAST.EXE;
      HIDERUN.EXE; TCPSHELL.EXE; XSSH.EXE; ICMD.EXE; FTPIT.EXE; NAAB.EXE;
      PUSU.EXE; TBAR.EXE; ARABIAN.EXE; ARABZ.EXE; DGJDJG.EXE; OOOO.EXE;
      OOOOO.EXE; OP.EXE; 2PAC.EXE; LOGIX.EXE; CASH7OC.JPG; 0CASH.EXE;
      CASH.EXE; AOAUTOUPDATENAV.EXE; XDCC_INSTALL.EXEDD.EXE;
      NETWORKACTIVPIAFCTMV1.5.EXE; PEXPLORER.EXE; PROCDUMP32.EXE;
      PROCDUMP.EXE; TLIST.EXE; FPORT.EXE; FILEMON.EXE; PORTMON.EXE;
      PROCEXP.EXE; REGMON.EXE; WINSNIFF.EXE; HOSTMON.EXE; SHAREMON.EXE;
      TCPSTATS.EXE; TCPSTAT.EXE; TCPMON.EXE; TCPDUMP.EXE; TCPVIEWPRO.EXE;
      TCPVIEW.EXE; ZZ.EXE; DBOT.EXE; HBOT.EXE; A.BAT; AG.EXE; RUNDIL.EXE;
      WINPOOCH.EXE; WINMPAT.EXE; MSSSMSNGR6417.EXE; WAUCULT.EXE; JSWTSS.EXE;
      SVCVHOST.EXE; RP5.EXE; BSDMPLDRVR642.EXE; MYHOST.EXE; MSWINS.EXE;
      WINDOWSVISTA.EXE; QKKKU.EXE; MESSENGERR.EXE; ERASEME.EXE; TSKMAGR.EXE;
      CMH.EXE; SMSC.EXE; QTASK.EXE; WUAUMQR1.EXE; WINLOGIN.EXE;
      INTERNET.EXE; CTFMOM.EXE; WINDOWANTASDIVRI.EXE; SCHOST.EXE;
      NEWBOT.EXE; II.EXE; MSSDEV.EXE; ISHOST.EXE; ISMINI.EXE; NL210.BAT;
      WINUPDTSRV.EXE; MSN_UPDATE.EXE; SYSMONXP.EXE; SVCDATA.EXE; REG32.EXE;
      DLL32.EXE; IEXPLORES.EXE; SUSP.EXE; SPOOL.EXE; 568.EXE; CCUPDATE.EXE;
      LOADADV642.EXE; SSC.EXE; VCMON.EXE; MSTSKMGR.EXE; SERVLCES.EXE;
      SERVLCE.EXE; MSLAUGH.EXE; MSNMGR12.EXE; WINFORM32.EXE; DLLX32.EXE;
      RP.EXE; GECKO.EXE; REPTILE.EXE; LRSYS.EXE; SRSHOST.EXE; MSDOS.EXE;
      WUMGRE.EXE; WUMGR.EXE; D3DUPDATE.EXE; I11R54N4.EXE; BBEAGLE32.EXE;
      BBEAGLE2.EXE; BBEAGLE.EXE; BEAGLE.EXE; SSATE.EXE; VHOST.EXE;
      IESERVER.EXE; DSRSS.EXE; SVVOSTS.EXE; UPDAT.EXE; SERVICESMSI.EXE;
      SPOOLMGR.EXE; WINHELP.EXE; NTTDLL.EXE; IRUN4.EXE; SYS_XP.EXE;
      SVCOST.EXE; WINUSB32.EXE; WINUSB.EXE; WINSPOOLER.EXE; WINSOCK.EXE;
      IPCMGR.EXE; WUAMGRD3.EXE; WUAMGRD.EXE; WUAMGR.EXE; LANSAS.EXE;
      XML32.EXE; XML.EXE; WINZ.EXE; WINSYS.EXE; WGAVM.EXE; STDRUN3.EXE;
      TASKDIR.EXE; PMSNGR.EXE; TASKMSG.EXE; WDFMGR32.EXE; NOTAPED.EXE;
      CSRS.EXE; WINCOMM.EXE; WINOCX.EXE; WINLOLX.EXE; JAVANET.EXE;
      MAXD641.EXE; MS.EXE; SERVICE.EXE; MSNLIVE.EXE; WIP.EXE; 666.EXE;
      MYBOT.EXE; MYT0B.EXE; HELLMSN.EXE; FUNNY_PIC.SCR; MSGM.EXE; MSGMR.EXE;
      WINPADG.EXE; HIDE.EXE; HIDDEN.EXE; HIDDEN32.EXE; HIDDENRUN.EXE;
      WINDOWSP.EXE; WINSYSTEM.EXE; SYSTEM32.EXE; SYSTEM.EXE; WINDOW.EXE;
      WINDOWS.EXE; SAVEUNINST.EXE; WUPS.EXE; SVCSHOTER.EXE; WINMAP.EXE;
      MYDOCS.EXE; WINB.EXE; WINNAMPS.EXE; CMRSS.DLL.EXE; WIN.EXE; WIN32.EXE;
      WINIS.EXE; MSNMSG.EXE; MSNMSGS.EXE; XPFIREWALL.EXE; WFDMGR.EXE;
      TASKM0N.EXE; TASKGMR.EXE; WINCFG32.EXE; SYSCFG32.EXE; SYSCFG16.EXE;
      SYSTRA.EXE; RPC32.EXE; MSMGRXP.EXE; SUHOY.EXE; PICX.EXE; MATHCHK.EXE;
      RUNDLL16.EXE; MSSERRV32.EXE; POPWIN.EXE; RUNDII32.EXE; CTXAD.EXE;
      MSHTML3.EXE; MSHTML2.EXE; MSHTML1.EXE; MSHTML.EXE; NDRV.EXE;
      TSKMGR.EXE; PAPERSRV.EXE; IE7.EXE; IE6.EXE; TASKMNGR32.EXE;
      W32GEN.EXE; RUNDLL.EXE; BOT.EXE; CRXBOT.EXE; DNS32.EXERXBOT.EXE;
      DNSSVC.EXE; DNSSRV.EXE; WIN32UPDATE.EXE; WINSVC.EXE; SCSRC.EXE;
      WSERVICES.EXE; WSERVICE.EXE; WINIME.EXE; LINEWSRV.EXE; MICROSOFT.EXE;
      SERVICES32.EXE; WGAREG.EXE; ASN1SYS.EXE; IIEXPLORER.EXE;
      IIEXPLORE.EXE; LSASS_32.EXE; SSSVHOST.EXE; KERNEL32.EXE; SPOOLVS.EXE;
      SPOOLV.EXE; MSNMSGRR.EXE; MSMMSGR.EXE; MSNER.EXE; MSNUPDATER.EXE;
      MSNUPDATE.EXE; ALG32.EXE; INSTALL_SP.EXE; TMRSERVICE.EXE; MSNPLUS.EXE;
      MSMPLS.EXE; YESBRON.COM; WINLOGON32.EXE; WINL0GIN.EXE; WINL0GON.EXE;
      AK.EXE; AKWID.EXE; SYSER.EXE; WINUPD.EXE; SYS.EXE; WINRPC.EXE;
      LSASS32.EXE; MSDEVELOP.EXE; NETMSN.EXE; WINSOCKX32.EXE; SSERRVV.EXE;
      WINSYS_32.EXE; SERRV.EXE; MYSVCC.EXE; SPOOLSS.EXE; NTSF.EXE; WKS.EXE;
      BINGO.EXE; BINGOO.EXE; SCRHOST.EXE; SVLHOST.EXE; WINSINI.EXE;
      AAAAMON.EXE; DPNWSOCK.EXE; LMHSVC.EXE; S32EVNT1.EXE; DMLOADER.EXE;
      DSKQUOTA.EXE; CATSRV.EXE; RASAPI32.EXE; WINTEMP.EXE; DRIVES.EXE;
      IRDVXC.EXE; CASHBACK.EXE; MSUSB.EXE; MSUPSRV.EXE; MSJAVA.EXE;
      MS-JAVA.EXE; WININET.EXE; WINIOGIN.EXE; MSXML.EXE; NETAPI[1].EXE;
      NETAPI32.EXE; NETAPI.EXE; WINRNR.EXE; WALLPAP[1].EXE; WALLPAP.EXE;
      WINSYSMNGR32.EXE; WINLOAD.EXE; WINCMD.EXE; NETLOGON.EXE;
      EXPLORER32.EXE; DIHF.EXE; WINTASK32.EXE; WINCODECS.EXE; SXSERV101.EXE;
      MSSECURE32.EXE; MSEXPLORE.EXE; DLLSYS64.EXE; SVCHOZT.EXE;
      LIBSYS32.EXE; DLLMGR64.EXE; CRSSCS.EXE; CRSSS.EXE; SMSSS.EXE;
      LSASSS.EXE; ROFL.EXE; LOL.EXE; ROTFLZ.EXE; SVWHOST32.EXE;
      IELOWER2.EXE; IELOWER.EXE; LOWER.EXE; BL0W.EXE; SVCH0ST.EXE;
      WINUPDATES.EXE; WKSSR.EXE; PERFONT.EXE; QTTASK.BAT; MSUPDATE.EXE;
      MSNXPLIVE.EXE; SALVAGE.EXE; FHM.EXE; MSCRASH.EXE; RECSL.EXE;
      BRWCONF.EXE; MSSERV32.EXE; M2.2.EXE; WINDIR32.EXE; ZANGO.EXE;
      RUNJAVA.EXE; SERVICENT.EXE; CSVHOST.EXE; MS32.EXE; W32.EXE; Z.EXE;
      DLL64.EXE; SERV454.EXE; MSIE701.EXE; WINRARX.EXE; UPDATE32.EXE;
      GREEN.EXE; BLING.EXE; CRSSR.EXE; WNL.EXE; OWINSSAP.EXE; SVCHOST32.EXE;
      SVCHOSTS.EXE; RBOT.EXE; SVHOST32.EXE; SVHOSTCS32.EXE; SMS.EXE;
      SEEKMO.EXE; SASS.EXE; SHOST.EXE; SYS32.EXE; SVCCHOSST.EXE;
      BOTPACKED.EXE; EXXPLORER.EXE; IEXPLORE7.EXE; IEXPLORE6.EXE;
      IEXPLOR.EXE; PENIS32.EXE; WORM32.EXE;
      C27D8FEF-D7AE-42C0-82E6-F30598265639.EXE; SCRTKFG.EXE; MSAPPVIEW32.EXE


 Vol d'informations Il essaie de voler l'information suivante:
– L'ID du produit Windows
 Des informations sur le compte d'email, obtenues de la cl de registre: HKCU\Software\Microsoft\Internet Account Manager\Accounts

 Dtails de fichier Logiciel de compression des fichiers excutables:
Afin d'entraver la dtection et de rduire la taille du fichier il est compress avec un logiciel de compression des excutables.

Description insérée par Petre Galan le jeudi 1 avril 2010
Description mise à jour par Andrei Ivanes le jeudi 1 avril 2010

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.