Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:TR/Spy.53248.681
Date discovered:11/11/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:53.248 Bytes
MD5 checksum:1C886EABF2D5A89329CA4529DFA6BB21
VDF version:7.10.06.78
IVDF version:7.10.13.226 - Thursday, November 11, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Mcafee: W32/IRCbot.worm
   •  Kaspersky: Trojan.Win32.Jorik.Lolbot.ip
   •  TrendMicro: WORM_SPYBOT.CEA
   •  F-Secure: Trojan.VB.Agent.HR
   •  Bitdefender: Trojan.VB.Agent.HR


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\winlogon.exe
   • %drive%\driver\info\explorer.exe



The following files are created:

%drive%\driver\info\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"



The following registry key is added:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

 IRC  Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel

 Hosts The host file is modified as explained:

Access to the following domains is effectively blocked:
   • avp.com
   • ca.com
   • dispatch.mcafee.com
   • etrust
   • jotti
   • kaspersky.com
   • liveupdate.symantecliveupdate.
   • mcafee.com
   • my-etrust.com
   • nai.com
   • nod32.com
   • norton
   • rads.mcafee.com
   • secure.nai.com
   • sophos.com
   • symantecliveupdate.com
   • trendmicro.com
   • updates.symantec.com
   • viruslist.com
   • te [virustotal.com
   • virusscan.jotti.org
   • us.mcafee.com
   • threatexpert
   • symantec.com
   • securityresponse.
   • pandasoftware
   • networkassociates
   • mast.mcafee.com
   • liveupdate.symantec.com
   • kaspersky-labs.com
   • grisoft
   • f-secure
   • download.mcafee.com
   • bitdefender.com
   • nai.


 Process termination Processes with one of the following strings are terminated:
   • AntiVirus; ashWebSv; avgnt; avp.exe; bitdef; kaspersky; mcafee;
      mcshield; NOD32; symantec; viruslist; trendmicro; guard.exe; avgw.exe;
      avguard; ashDisp


 Miscellaneous Anti debugging
It checks for running programs that contain one of the following strings:
   • sandbox
   • nepenthes
   • wireshark
   • vmware


 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description insérée par Andrei Ilie le vendredi 18 mars 2011
Description mise à jour par Andrei Ilie le mardi 22 mars 2011

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.