Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:WORM/IrcBot.AJ
Date discovered:09/09/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:94.208 Bytes
MD5 checksum:9F184CBD4FAF4B537829E839C8E46DD7
VDF version:7.10.05.24
IVDF version:7.10.11.120 - Thursday, September 9, 2010

 General Method of propagation:
    Messenger


Aliases:
   •  Symantec: Backdoor.Trojan
   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Trojan.Win32.Jorik.IRCbot.ez
   •  TrendMicro: TSPY_ONLINEG.MHP
     Microsoft: Worm:Win32/Slenfbot.AKD


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\nvsvc32.exe
   • %WINDIR%\nvsvc32.exn

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

 Yahoo Messenger

 IRC  Furthermore it has the ability to perform actions such as:
    • Join IRC channel
    • Leave IRC channel

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • albertoshistory.info; ale.pakibili.com; astro.ic.ac.uk;
      ate.lacoctelera.net; beta.neogen.ro; browseusers.myspace.com;
      deirdremccloskey.org; ds.phoenix-cc.net; epp.gunmablog.jp;
      erdbeerlounge.de; goodreads.com; heidegger.x-y.net; hrm.uh.edu;
      insidehighered.com; jb.asm.org; journalofaccountancy.com;
      journals.lww.com; mas.0730ip.com; mas.ahlamontada.com;
      mas.archivum.info; mas.josbank.com; mas.juegosbakugan.net;
      mas.mtime.com; mas.tguia.cl; mas.univie.ac.at; mcsp.lvengine.com;
      middleastpost.org; mix.price-erotske.in.rs; mix.thenaturistclub.com;
      mmm.bolbalatrust.org; old.longjuyt2tugas.com; old.youku.com;
      ols.systemofadown.com; ope.oaklandathletics.com; opl.munin.irf.se;
      pra.aps.org; pru.landmines.org; qun.51.com; refugee-action.org.uk;
      screenservice.com; scribbidyscrubs.com; shopstyle.com;
      southampton.ac.uk; stayontime.info; summer-uni-sw.eesp.ch;
      transnationale.org; tripadvisor.com; uks.linkedin.com; unclefed.com;
      versatek.com; websitetrafficspy.com; www.myspace.com;
      www.shearman.com; x.myspacecdn.com; xxx.jagdcom.de; xxx.stopklatka.pl

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description insérée par Andrei Ilie le jeudi 24 mars 2011
Description mise à jour par Andrei Ilie le vendredi 1 avril 2011

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.