Description complète

Nom:	TR/VB.Inject.61441.DA
La date de la découverte:	12/03/2010
Type:	Cheval de Troie
En circulation:	Oui
Infections signalées	Faible a moyen
Potentiel de distribution:	Moyen
Potentiel de destruction:	Moyen
Fichier statique:	Oui
Taille du fichier:	61.441 Octets
Somme de contrôle MD5:	7cc9b28b3279b99fbf294180df9e4ecd
Version IVDF:	7.10.05.64 - vendredi 12 mars 2010

Général Méthode de propagation:
   • Fonctionnalité d'exécution automatique
   • Le réseau local
   • Programme de messagerie

Les alias:
   • Mcafee: W32/IRCbot virus
   • Sophos: Mal/VBInject-D
   • Panda: Trj/Kreeper.H
   • Eset: Win32/AutoRun.KS
   • Bitdefender: Trojan.Generic.3546827

Plateformes / Systèmes d'exploitation:
   • Windows 2000
   • Windows XP
   • Windows 2003

Effets secondaires:
   • Il télécharge un fichier malveillant
   • Il crée des fichiers malveillants
   • Il modifie des registres
   • Il facilite l'accès non autorisé à l'ordinateur

Fichiers Il s'autocopie dans les emplacements suivants:
   • \%CLSID%\Mars1.exe
   • \%le nom de l'ordinateur%\%le nom de l'ordinateur%\%le nom de l'ordinateur%x1.exe

Les fichiers suivants sont créés:

– \%le nom de l'ordinateur%\%le nom de l'ordinateur%\Desktop.ini
– \autorun.inf Ceci est un fichier texte non malveillant avec le contenu suivant:
   •

Il essaie de télécharger un ficher:

– L'emplacement est le suivant:
   • http://1.img-myspace.info/net/**********

Registre La clé de registre suivante est ajoutée afin de lancer le processus après le redémarrage:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "InternetServics1"="C:\%CLSID%\Mars1.exe"

Programme de messagerie Il se répand par l'intermédiaire du programme de messagerie. Les caractéristiques sont décrites ci-dessous:

– MSN Messenger
– Yahoo Messenger

Le URL se rapporte alors à une copie du malware décrit. Si l'utilisateur télécharge et exécute ce fichier le procédé d'infection commencera encore.

Infection du réseau Afin de assurer sa propagation, le malware essaye de se connecter à d'autres machines comme décrit ci-dessous.

La vulnérabilité:
Il se sert des vulnérabilités suivantes:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnérabilité dans Service de Serveur)

IRC Afin de fournir des informations sur le système et d'accès à distance, il se connecte aux serveurs IRC suivants:

Serveur: march.psy**********.cz
Port: 4949
Pseudonyme: VirUs-hlrjbr

Serveur: march.bot**********.info
Port: 4949
Pseudonyme: VirUs-hlrjbr

Hôtes Le fichier hôte est modifié, comme il est expliqué:

– L'accès aux liens URL suivants est redirigé vers d'autres destinations :
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; www.nabble.com; lurker.clamav.net;
      lexikon.ikarus.at; research.sunbelt-software.com; www.virusdoctor.jp;
      www.elitepvpers.de; guru.avg.com; downloads.sophos.com;
      share.skype.com; myantispyware.com; www.superuser.co.kr; ntfaq.co.kr;
      v.dreamwiz.com; cit.kookmin.ac.kr; forums.whatthetech.com;
      forum.hijackthis.de; avg.vo.llnwd.net; ftp.drweb.com;
      www.zonealarm.com; smadaver.com; support.emsisoft.com;
      www.huaifai.go.th; www.mostz.com; www.krupunmai.com;
      www.cddchiangmai.net; forum.malekal.com; tech.pantip.com;
      sapcupgrades.com; www.elguruinformatico.com; forums.avg.com;
      zastita.com; support.kaspersky.com; www.247fixes.com;
      forum.sysinternals.com; forum.telecharger.01net.com; sophos.com;
      foros.softonic.com; avast-home.uptodown.com;
      dr-web-cureit.softonic.com; heavenward.ru; forum.smadav.net;
      www.forum.kaspersky.com; www.f-secure.com; www.chkrootkit.org;
      diamondcs.com.au; www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; www.castlecrops.com;
      www.misec.net; safecomputing.umn.edu; www.antirootkit.com;
      www.greatis.com; ar.answers.yahoo.com; www.elhacker.org;
      research.pandasecurity.com; www.tpu.ro; www.pinoyden.com;
      www.rootkit.com; www.pctools.com; www.pcsupportadvisor.com;
      www.resplendence.com; www.personal.psu.edu; foro.ethek.com;
      foro.elhacker.net; download.zonealarm.com; spywarehammer.com;
      www.codelain.com; vil.nail.com; search.mcafee.com; wwww.mcafee.com;
      download.nai.com; wwww.experts-exchange.com; www.bakunos.com;
      www.darkclockers.com; www2.gmer.net; ariefew.com; www.emsisoft.com;
      forum.romeonet.ro; www.Merijn.org; www.spywareinfo.com;
      www.spybot.info; www.viruslist.com; www.hijackthis.de;
      ftp.f-secure.com; forum.kaspersky.com; es.trendmicro-europe.com;
      www.hvaonline.net; forum.lowyat.net; kb.eset.com; majorgeeks.com;
      www.avp.com; www.virustotal.com; www.sophos.com;
      linhadefensiva.uol.com.br; cmmings.cn; www.sergiwa.com;
      www.el-hacker.com; dl2.agnitum.com; forum.smadav.net;
      images.malwareremoval.com; www.avg-antivirus.net;
      www.kaspersky-labs.com; www.kaspersky.com; www.bleepingcomputer.com;
      www.free.grisoft.com; alerta-antivirus.inteco.es; greatis.com;
      www.oprekpc.com; www.gmer.net; forum.kasperskyclub.com;
      securityresponse.symantec.com; www.analysis.seclab.tuwien.ac.at;
      www.symantec.com; www.kztechs.com; ad-aware-se.uptodown.com;
      stdio-labs.blogspot.com; forum.lrytas.lt; www.decido.de;
      wap.elakiri.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
      www.box.net; foro.el-hacker.com; acs.pandasoftware.com;
      egavisa.blogspot.com; angui123.cn; beta.eset.com; www.mcafee.com;
      www.free.avg.com; download.mcafee.com; mast.mcafee.com;
      www.tecno-soft.com; ladooscuro.es; ftp.drweb.com;
      download.microsoft.com; www.mypcsafe.com; www.blindedbytech.com;
      kaspersky.com; guru0.grisoft.cz; guru1.grisoft.cz; guru2.grisoft.cz;
      guru3.grisoft.cz; download.bleepingcomputer.com; it.answers.yahoo.com;
      www.softonic.com; www.mycity.rs; cairopt.net;
      rootrepeal.googlepages.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; hjt-data.trend-braintree.com;
      www.pantip.com; secubox.aldria.com; www.forospyware.com;
      www.manuelruvalcaba.com; www.zonavirus.com; www.leforo.com;
      www.gsmph.com; blokvesti.net; www.viprasys.org; www.siteadvisor.com;
      blog.threatfire.com; www.threatexpert.com; blog.hispasec.com;
      www.configurarequipos.com; sosvirus.changelog.fr; www.psicofxp.com;
      www.gsmph.net; www.gyakorikerdesek.hu; us.mcafee.com;
      mailcenter.rising.com.cn; mailcenter.rising.com; www.rising.com.cn;
      www.rising.com; www.babooforum.com.br; www.runscanner.net;
      www.blogschapines.com; www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      sosvirus.changelog.fr; upload.changelog.fr; www.raymond.cc;
      changelog.fr; www.pcentraide.com; atazita.blogspot.com;
      www.thinkpad.cn; www.sunbeltsoftware.com; cert.inteco.es;
      www.gamexeon.com; nod32-antivirus.en.softonic.co; www.final4ever.com;
      files.filefont.com; www.infos-du-net.com; www.trendsecure.com;
      forum.hardware.fr; www.utilidades-utiles.com; blogs.icerocket.com;
      www.spywarefri.dk; alfrasha.maktoob.com; www.eset.eu;
      www.spychecker.com; www.geekstogo.com; forums.maddoktor2.com;
      www.smokey-services.eu; www.clubic.com; www.linhadefensiva.org;
      www.rolandovera.com; forum.burek.com; secure.sophos.com;
      usa.kaspersky.com; download.sysinternals.com; www.pcguide.com;
      www.thetechguide.com; www.ozzu.com; www.changedetection.com;
      espanol.groups.yahoo.com; www.sunbeltsecurity.com;
      www.quickheal.co.in; www.vivalared.com; community.thaiware.com;
      www.avpclub.ddns.info; www.offensivecomputing.net; www.grisoft.com;
      boardreader.com; www.guiadohardware.net; www.webroot.com;
      www.thehelper.net; www.kaldata.com; vil.nai.com;
      www.msnvirusremoval.com; www.cisrt.org; fixmyim.com; samroeng.hi5.com;
      foro.elhacker.net; www.daboweb.com; service1.symantec.com;
      us3.download.comodo.com; forum.gsmhosting.com; www.computerforum.com;
      forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; downloads.andymanchesta.com;
      andymanchesta.com; info.prevx.com; aknow.prevx.com; www.zonavirus.com;
      securitywonks.net; www.yoreparo.com; www.spywarecease.com;
      forum.dobreprogramy.pl; community.mcafee.com; www.lavasoft.com;
      www.virscan.org; www.eeload.com; down.www.kingsoft.com; www.file.net;
      onecare.live.com; mvps.org; www.laneros.com; www.pc1news.com;
      forum.avira.com; downloads.novirusthanks.org;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.futurenow.bitdefender.com;
      www.bitdefender.com; www.f-prot.com; www.trendsecure.com;
      security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com; www.avira.com;
      www.eset.com; www.free.avg.com; www.free-av.com; kr.ahnlab.com;
      www.eset.com; forospyware.com; thejokerx.blogspot.com; cairopt.net;
      oolbar.cyberdefender.com; golpe.dyndns.org; www.2-spyware.com;
      www.antivir.es; www.prevx.com; www.ikarus.net; bbs.s-sos.net;
      www.housecall.trendmicro.com; www.superdicas.com.br;
      www.superantispyware.com; www.unhackme.com; www.askmehelpdesk.com;
      www.forums.majorgeeks.com; www.castlecops.com; www.virusspy.com;
      andymanchesta.com; www.kaspersky.es; subs.geekstogo.com;
      www.forospanish.com; blog.rnsafe.com; www.regrun.com;
      irc.snahosting.net; www.trendmicro.com; www.fortinet.com;
      www.safer-networking.org; www.fortiguardcenter.com; www.dougknox.com;
      www.vsantivirus.com; static.commentcamarche.net;
      www.gyakorikerdesek.hu; www.fixya.com; www.firewallguide.com;
      www.auditmypc.com; www.spywaredb.com; www.mxttchina.com;
      www.ziggamza.net; www.forospyware.es; pogonyuto.forospanish.com;
      spywarefiles.prevx.com; k2r.th3kings.net; www.betterantivirus.com;
      www.antivirus.comodo.com; www.spywareterminator.com;
      www.eradicatespyware.net; www.freespywareremoval.info;
      www.personalfirewall.comodo.com; wakoopa.com; forum.drweb.com;
      bb1.th3kings.net; www.clamav.net; www.antivirus.about.com;
      www.pandasecurity.com; www.webphand.com; mx.answers.yahoo.com;
      www.securitywonks.net; www.messengeradictos.com; www.geekpolice.net;
      bub.th3kings.net; www.sandboxie.com; www.clamwin.com;
      www.cwsandbox.org; www.ca.com; www.arswp.com; es.answers.yahoo.com;
      www.trucoswindows.es; www.ipaddresser.com; www.abgenis.net;
      www.freefixer.com; forums.afterdawn.com; www.networkworld.com;
      www.cddchiangmai.net; www.threatexpert.com; www.norman.com;
      espanol.answers.yahoo.com; www.tallemu.com; foro.portalhacker.net;
      www.groupwhere.org; sniff.runescapetube.com; virscan.org;
      www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; hjt.networktechs.com;
      www.techsupportforum.com; www.whatthetech.com; www.soccersuck.com;
      www.pcentraide.com; comunidad.wilkinsonpc.com.co; forum.hocit.com;
      forum.smadav.net; fgp.e2doo.com; forum.piriform.com;
      www.tweaksforgeeks.com; www.daniweb.com; www.geekstogo.com;
      es.answers.yahoo.com; www.techsupportforum.com;
      dnl-eu8.kaspersky-labs.com; www.oprekpc.com; shv4.ath.cx;
      www.pcworld.com; www.pchell.com; www.spyany.com; forums.techguy.org;
      www.experts-exchange.com; www.wikio.es; www.pandasecurity.com;
      forums.devshed.com; devbuilds.kaspersky-labs.com;
      hana-ahmad.blogspot.com; forum.tweaks.com; www.wilderssecurity.com;
      www.techspot.com; www.thecomputerpitstop.com; es.wasalive.com;
      secunia.com; www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; www.computing.net;
      discussions.virtualdr.com; forum.securitycadets.com; www.techimo.com;
      13iii.com; www.dicasweb.com.br; www.javacoolsoftware.net;
      cofradia.org; wasteland-bg.com; www.windowexe.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.360safe.cn; www.360safe.com; bbs.360safe.cn; bbs.360safe.com;
      codehard.wordpress.com; forum.clubedohardware.com.br; antitrick.com;
      www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; baike.360.cn;
      baike.360.com; kaba.360.cn; kaba.360.com; deckard.geekstogo.com;
      www.taringa.net; forums.comodo.com; www.mvps.org; melcy.wordpress.com;
      forum.softpedia.com; pcvids.wordpress.com; down.360safe.cn;
      down.360safe.com; x.360safe.com; dl.360safe.com; ftp.drweb.com;
      www.hotshare.net; es.wasalive.com; free.antivirus.com;
      forum.hocit.com; destavision-forum.com; inspiresoft.blogspot.com;
      updatem.360safe.com; updatem.360safe.cn; update.360safe.cn;
      update.360safe.com; www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com; bbs.duba.net;
      www.duba.net; zhidao.baidu.com; hi.baidu.com; www.drweb.com.es;
      msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      file.ikaka.com; file.ikaka.cn; bbs.ikaka.com; zhidao.ikaka.com;
      www.eset-la.com; download.eset.com; software-files.download.com;
      www.faravirusi.com; www.winbots.es; forum.chip.de; www.ikaka.com;
      www.ikaka.cn; bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; bbs.kafan.cn;
      bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      alerta-antivirus.inteco.es; foros.zonavirus.com;
      alerta-antivirus.red.es; www.zonavirus.com; www.malwarebytes.org;
      www.commentcamarche.net; news.support.veritas.com; www.zonealarm.com;
      www.ewido.net; www.infospyware.com; www.bitdefender.es;
      housecall.trendmicro.com; foros.toxico-pc.com; www.identi.es;
      es.kioskea.net; virusinfo.info; forums.zonealarm.com; www.emsisoft.de;
      www.securitynewsportal.com; irc.ekizmedia.com; zone.arminboutique.com;
      story.dnsentrymx.com; google.com

Arrêt de processus: La liste des processus qui sont terminés:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; CMD.EXE; COMMAND.COM;
      NTVDM.EXE; GUARD.EXE; LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM;
      REGEDIT.SCR; FOLDERCURE.EXE; KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE;
      REG.EXE; TASKKILL.EXE; AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE;
      SDFIX.EXE; CATCHME.EXE; GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE

L'injection du code viral dans d'autres processus – Il s'injecte comme un nouveau fil d'exécution à distance dans un processus.

Nom du processus :
• explorer.exe

Détails de fichier Langage de programmation:
Le fichier a été écrit en Visual Basic.

Logiciel de compression des fichiers exécutables:
Afin d'entraver la détection et de réduire la taille du fichier il est compressé avec un logiciel de compression des exécutables.

Description insérée par Petre Galan le jeudi 6 mai 2010
Description mise à jour par Petre Galan le jeudi 6 mai 2010

Retour . . . .

Protection avancée pour votre PC

Produits gratuits

Les plus populaires

Tous les produits

Offres groupées

Stations de travail

Server

Offres groupées

Mail Gateways

Web Gateways

Plateformes collaboratives

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils