Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:DR/Agent.24576.D
Date discovered:14/07/2009
Type:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:160.768 Bytes
MD5 checksum:816852a7b5f831e6f2c517e4adab4c8b
VDF version:7.01.04.229

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.FraudPack.pnd
   •  Eset: Win32/Agent.PTU


Platform / OS:
   • Windows 2000
   • Windows XP

 Files The following file is created:

%WINDIR%\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job File is a scheduled task that runs the malware at predefined times. Detected as: DR/Agent.24576.D

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Cognac"="%executedir%\%filename%"



The following registry key is added:

[HKCU\Software\Cognac]
   • "s00000002"="xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFFlHTwF6UUl4+Okpef3si9NAD"
   • "s00000000"="tSLPLpWL7R22spR48AI743bz2Kge8sEVwV+urCGnghdg18Eo9NMs8sbCQvO2E1u+0quRUXD4ug6/bjAxfhYCb0UfzdlfROGiR3tfoylOcLHAH7yCiaBvnRZU43lFwg68rbA4VH7otTRUnUsktecNSQn93wDFIJBfAX62KOJrH23WF92s8q2F8M80+JJig46X"
   • "s00000001"="tSbFNJuL/h22spR48AI743bz2Kge8sEVwV+urCH4hQZ8wYY/9Mx6vsrfS7m2BQah1q7ZF2rk+EDaFAUifhYCbyBhsJUQGaLyTGBKui0aPLfAWqyJkrkwxVYJ925YxUWvsalrFSb3uGQ48Cdq7vYOGk77zgOQY8pPDX2obvttCiPXAcCt48LgvoQy5Y8qmoHZVCchY7PquLAM5rjqerKPIIOxpOYv0J3hxhQu1IIs1QfpR9uRcSSKnL0r1Tn+CHuGMGlMcnSb21WbJh41qJTeBa7Cg5sIbXgnyb1RJAxt+XV3hlpm5lLLv2UJvMh3yCDY4DF6+0AmNex2rlpZ7c0Fn3WM9K46VTgGGadaGh1hUMgr"
   • "d00000004"=dword:00015180
   • "d00000005"=dword:00000002
   • "d00000002"=dword:01ca048e
   • "d00000003"=dword:30c2cb60
   • "d00000006"=dword:00000001
   • "d00000000"=dword:01ca03c7
   • "d00000001"=dword:2053ab90

 Backdoor Contact server:
All of the following:
   • http://imagesrepository.com/**************
   • http://delphiner.com/***********

This is done via the HTTP POST method using a PHP script.

Description insérée par Mihai Dilimot le vendredi 17 juillet 2009
Description mise à jour par Mihai Dilimot le vendredi 17 juillet 2009

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.