Description complète

Nom:	TR/Joleee.53248
La date de la découverte:	03/11/2009
Type:	Cheval de Troie
En circulation:	Oui
Infections signalées	Faible a moyen
Potentiel de distribution:	Faible
Potentiel de destruction:	Faible a moyen
Fichier statique:	Oui
Taille du fichier:	53.248 Octets
Somme de contrôle MD5:	5210d61c407275a8a2fe9c991a7844e9
Version IVDF:	7.01.06.185 - mardi 3 novembre 2009

Général Les alias:
   • Mcafee: W32/IRCbot.gen
   • Sophos: Mal/Generic-A
   • Panda: W32/Joleee.J.worm
   • Eset: Win32/IRCBot
   • Bitdefender: Trojan.Generic.1646652

Plateformes / Systèmes d'exploitation:
   • Windows 2000
   • Windows XP
   • Windows 2003

Effets secondaires:
   • Il crée des fichiers malveillants
   • Il modifie des registres

Fichiers Il s'autocopie dans l'emplacement suivant:
   • %SYSDIR%\adsldpcm.exe

Il supprime sa propre copie, exécutée initialement

Le fichier suivant est créé:

– %SYSDIR%\1962655114.dat

Il essaie d’exécuter les fichiers suivants :

– Nom de fichier: Noms des fichiers:
   • %SYSDIR%\adsldpcm.exe;240;%le dossier d'exécution du malware%\%le fichier exécuté%

– Nom de fichier: Noms des fichiers:
   • svchost.exe "%SYSDIR%\adsldpcm.exe"

Registre Les clés de registre suivantes sont ajoutée:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVWNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardgui.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\outpost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zanda.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caavguiscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DRWEB32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPWin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxservice.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zapro.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashDisp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\preupd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPAVServer.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fpscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\casecuritycenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FAMEH32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz4.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdinit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\arcavir.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\OllyDBG.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfFnUp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVW32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avadmin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashUpd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashEnhcd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zoneband.dll]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Vba32arkit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regmon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navigator.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArcaCheck.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zonealarm.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vba32ldr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVP32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\niu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz_se.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aswUpdSv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsgk32st.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfpupdat.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsav32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zlh.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pskdr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconfig.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcls.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a2service.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwadins.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FSMA32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVSTUB.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashServ.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegTool.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwebupw.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccupdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvcc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\GFRing3.exe]
   • "Debugger"="ntsd -d"

La clé de registre suivante est changée:

– [HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   La nouvelle valeur:
   • "DisableRawSecurity"=dword:0x00000001

Porte dérobée Le port suivant est ouvert:

– 239.255.2**********.2********** sur le port UDP 1900

Détails de fichier Logiciel de compression des fichiers exécutables:
Afin d'entraver la détection et de réduire la taille du fichier il est compressé avec un logiciel de compression des exécutables.

Description insérée par Petre Galan le mercredi 7 avril 2010
Description mise à jour par Petre Galan le mercredi 7 avril 2010

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils