Nume:TR/Dldr.Agent.eckq
Descoperit pe data de:28/07/2010
Tip:Troian
Subtip:Downloader
ITW:Da
Numar infectii raportate:Mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:118.784 Bytes
MD5:a8dbf047f8b6d0eb40c01307ab798c28
Versiune IVDF:7.10.09.249 - mercredi 28 juillet 2010

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Trojan-Downloader.Win32.Agent.eckq
   •  Eset: a variant of Win32/Injector.CLP
   •  AhnLab: Downloader/Win32.Agent


Sistem de operare:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Efecte secundare:
   • Inchide aplicatiile de securitate
   • Descarca un fisier
   • Reduce setarile de securitate
   • Modificari in registri
   • Sustrage informatii

 Fisiere Se copiaza in urmatoarea locatie:
   • %HOME%\user1\winlogon.exe




Incearca sa descarce un fisier:

– Adresa este urmatoarea:
   • http://0-1-0-**********-0-0.info/VERSION.TXT
Fisierul este stocat pe hard disc la: %HOME%\user1\VERSION.TXT

 Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA Media Center Library"="%HOME%\user1\winlogon.exe"



Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avnt.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avsched32.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avrescue.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avpmon.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\penis32.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\periscope.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\persfw.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\perswf.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pf2.exe]
   • "Debugger"="\"%WINDIR%\twunk_16.exe\""



Urmatoarele chei din registri sunt modificate:

Pagina de start in Internet Explorer:

– [HKEY_USERS\S-1-5-21-602162358-2077806209-839522115-1003\Software\
   Microsoft\Internet Explorer\Main]
   Vechea valoare:
   • "Local Page"="c:\windows\\system32\\blank.htm"
   • "Start Page"="about:blank"
   • "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   Noua valoare:
   • "Local Page"="http://www.nuevaq.fm"
   • "Start Page"="http://www.nuevaq.fm"
   • "Search Page"="http://www.nuevaq.fm"
   • "Default_Search_URL"="http://www.nuevaq.fm"
   • "Default_Page_URL"="http://www.nuevaq.fm"

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   Vechea valoare:
   • "Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
   • "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Local Page"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
   • 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
   • 62,00,6c,00,61,00,6e,00,6b,00,2e,00,68,00,74,00,6d,00,00,00
   • "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
   Noua valoare:
   • "Default_Page_URL"="http://www.nuevaq.fm"
   • "Default_Search_URL"="http://www.nuevaq.fm"
   • "Search Page"="http://www.nuevaq.fm"
   • "Local Page"="http://www.nuevaq.fm"
   • "Start Page"="http://www.nuevaq.fm"

 Injectarea codului malware in alte procese – Se injecteaza intr-un proces.

    Numele procesului:
   • svchost.exe


 Detaliile fisierului Limbaj de programare:
 Limbaj de programare folosit: Visual Basic.

Description insérée par Patrick Schoenherr le jeudi 29 juillet 2010
Description mise à jour par Patrick Schoenherr le jeudi 29 juillet 2010

Retour . . . .