Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Date discovered:03/05/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:5507d7602b6afb61dbd8787e9a16e80c
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Sophos: Mal/VBInject-T
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8011

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %TEMPDIR%\lssas.exe
   • %drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\365345.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%


It tries to executes the following files:

– Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\lssas.exe WindowsSafety ENABLE

– Filename:
   • taskkill /IM winlog.exe

– Filename:
   • taskkill /IM svchost.exe

– Filename:
   • taskkill /IM csrss.exe

– Filename:
   • taskkill /IM lsass.exe

– Filename:
   • "%TEMPDIR%\lssas.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "MicrosoftCorp"="%TEMPDIR%\lssas.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%TEMPDIR%\lssas.exe"="%TEMPDIR%\lssas.exe:*:Enabled:Windows Defense"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: stores.del**********.net
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

Server: bb.ceg**********.org
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

 File details Programming language:
The malware program was written in Visual Basic.

Description insérée par Petre Galan le jeudi 24 juin 2010
Description mise à jour par Petre Galan le jeudi 24 juin 2010

Retour . . . .