Descrizione completa

Nome del virus:	Worm/Slenfbot.DQ
Scoperto:	23/11/2009
Tipo:	Worm
In circolazione (ITW):	Si
Numero delle infezioni segnalate:	Medio-Basso
Potenziale di propagazione:	Medio-Basso
Potenziale di danni:	Medio
File statico:	Si
Dimensione del file:	77.312 Byte
Somma di controllo MD5:	529a29e455d2cc22c4dc756f2bb013b8
Versione IVDF:	7.10.01.59 - lunedì 23 novembre 2009

Generale Metodo di propagazione:
   • Autorun feature (it)

Alias:
   • Panda: W32/Slenfbot.AH
   • Eset: Win32/AutoRun.Qhost.M

Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003

Effetti secondari:
   • Blocca l'accesso a certi siti web
   • Blocca l'accesso a siti web di sicurezza
   • Duplica file “maligni”
   • Abbassa le impostazioni di sicurezza
   • Modifica del registro
   • Accesso e controllo del computer da parte di terzi

File Si copia alle seguenti posizioni:
   • %SYSDIR%\avsysd.exe
   • %unità disco%\CACHE-03958720\device64.sys

Sovrascrive un file.
– %SYSDIR%\drivers\etc\hosts

Vengono creati i seguenti file:

– %unità disco%\autorun.inf Questo è un file di testo “non maligno” con il seguente contenuto:
   •

– %unità disco%\CACHE-03958720\Desktop.ini

Registro Uno dei seguenti valori viene aggiunto per eseguire il processo dopo il riavvio:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"

Le seguenti chiavi di registro che includono tutti i valori e le sottochiavi, vengono rimosse:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

Crea le seguenti righe con lo scopo di bypassare il firewall di Windows XP:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\avsysd.exe"="%SYSDIR%\avsysd.exe:*:Enabled:Windows Live"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\avsysd.exe"="%SYSDIR%\avsysd.exe:*:Enabled:Windows Live"

Vengono aggiunte le seguenti chiavi di registro:

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="avsysd.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   • "DoNotAllowXPSP2"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\avsysd.exe"="DisableNXShowUI"

Vengono cambiate le seguenti chiavi di registro:

Varie opzioni di Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Nuovo valore:
   • "Hidden"=dword:0x00000002

Varie opzioni di Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Nuovo valore:
   • "CheckedValue"=dword:0x00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Nuovo valore:
   • "restrictanonymous"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Ole]
   Nuovo valore:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8wd]
   Nuovo valore:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\avg8emc]
   Nuovo valore:
   • "Start"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   Nuovo valore:
   • "Start"=dword:0x00000004

IRC Per inviare informazioni sul sistema e per fornire il controllo remoto, si connette ai seguenti server IRC:

Server: unas.u**********.info
Password del server: su1c1d3
Canale: #te3pe3
Nickname: \00\USA\%stringa di caratteri casuale%

Server: p3x-888.u**********.info

Server: goauld.u**********.info

Server: stargate.f**********.info

Server: recoil.f**********.info

Server: sector9.f**********.info

Server: gateaddr.d**********.info

Server: wormhle.d**********.info

Server: scattr.d**********.info

Server: evthorz.d**********.info

Server: scorch.s**********.info

Server: zapniki.s**********.info

Server: zateck.s**********.info

Server: wow.d**********.info

Server: com.d**********.info

Server: dat.d**********.info

Server: sup.d**********.info

Server: especial.s**********.info

Server: rewrite.s**********.info

Server: comp.s**********.info

Server: statics.s**********.info

– In più ha la capacità di effettuare azioni quali:
• Eseguire file
• Aggiornarsi

Host L'host del file viene modificato come spiegato:

– In questo caso i dati immessi già esistenti vengono cancellati.

– L'accesso ai seguenti domini è effettivamente bloccato:
   • 127.0.0.1 msnfix.changelog.fr; 127.0.0.1 www.incodesolutions.com;
      127.0.0.1 virusinfo.prevx.com;
      127.0.0.1 download.bleepingcomputer.com; 127.0.0.1 www.dazhizhu.cn;
      127.0.0.1 foro.noticias3d.com; 127.0.0.1 www.nabble.com;
      127.0.0.1 lurker.clamav.net; 127.0.0.1 lexikon.ikarus.at;
      127.0.0.1 research.sunbelt-software.com; 127.0.0.1 www.virusdoctor.jp;
      127.0.0.1 www.elitepvpers.de; 127.0.0.1 guru.avg.com;
      127.0.0.1 www.superuser.co.kr; 127.0.0.1 ntfaq.co.kr;
      127.0.0.1 v.dreamwiz.com; 127.0.0.1 cit.kookmin.ac.kr;
      127.0.0.1 forums.whatthetech.com; 127.0.0.1 forum.hijackthis.de;
      127.0.0.1 avg.vo.llnwd.net; 127.0.0.1 www.huaifai.go.th;
      127.0.0.1 www.mostz.com; 127.0.0.1 www.krupunmai.com;
      127.0.0.1 www.cddchiangmai.net; 127.0.0.1 forum.malekal.com;
      127.0.0.1 tech.pantip.com; 127.0.0.1 sapcupgrades.com;
      127.0.0.1 www.247fixes.com; 127.0.0.1 forum.sysinternals.com;
      127.0.0.1 forum.telecharger.01net.com; 127.0.0.1 sophos.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 avast-home.uptodown.com;
      127.0.0.1 dr-web-cureit.softonic.com; 127.0.0.1 www.f-secure.com;
      127.0.0.1 www.chkrootkit.org; 127.0.0.1 diamondcs.com.au;
      127.0.0.1 www.rootkit.nl; 127.0.0.1 www.sysinternals.com;
      127.0.0.1 z-oleg.com; 127.0.0.1 espanol.dir.groups.yahoo.com;
      127.0.0.1 www.castlecrops.com; 127.0.0.1 www.misec.net;
      127.0.0.1 safecomputing.umn.edu; 127.0.0.1 www.antirootkit.com;
      127.0.0.1 www.greatis.com; 127.0.0.1 ar.answers.yahoo.com;
      127.0.0.1 www.elhacker.org; 127.0.0.1 www.rootkit.com;
      127.0.0.1 www.pctools.com; 127.0.0.1 www.pcsupportadvisor.com;
      127.0.0.1 www.resplendence.com; 127.0.0.1 www.personal.psu.edu;
      127.0.0.1 foro.ethek.com; 127.0.0.1 foro.elhacker.net;
      127.0.0.1 vil.nail.com; 127.0.0.1 search.mcafee.com;
      127.0.0.1 wwww.mcafee.com; 127.0.0.1 download.nai.com;
      127.0.0.1 wwww.experts-exchange.com; 127.0.0.1 www.bakunos.com;
      127.0.0.1 www.darkclockers.com; 127.0.0.1 www.Merijn.org;
      127.0.0.1 www.spywareinfo.com; 127.0.0.1 www.spybot.info;
      127.0.0.1 www.viruslist.com; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 www.f-secure.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 majorgeeks.com; 127.0.0.1 www.avp.com;
      127.0.0.1 www.virustotal.com; 127.0.0.1 www.sophos.com;
      127.0.0.1 linhadefensiva.uol.com.br; 127.0.0.1 cmmings.cn;
      127.0.0.1 www.sergiwa.com; 127.0.0.1 www.el-hacker.com;
      127.0.0.1 www.avg-antivirus.net; 127.0.0.1 www.kaspersky-labs.com;
      127.0.0.1 www.kaspersky.com; 127.0.0.1 www.bleepingcomputer.com;
      127.0.0.1 www.free.grisoft.com; 127.0.0.1 alerta-antivirus.inteco.es;
      127.0.0.1 securityresponse.symantec.com;
      127.0.0.1 www.analysis.seclab.tuwien.ac.at;
      127.0.0.1 www.symantec.com; 127.0.0.1 www.kztechs.com;
      127.0.0.1 ad-aware-se.uptodown.com; 127.0.0.1 stdio-labs.blogspot.com;
      127.0.0.1 liveupdate.symantecliveupdate.com;
      127.0.0.1 liveupdate.symantec.com; 127.0.0.1 customer.symantec.com;
      127.0.0.1 update.symantec.com; 127.0.0.1 www.box.net;
      127.0.0.1 foro.el-hacker.com; 127.0.0.1 www.mcafee.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 download.mcafee.com;
      127.0.0.1 mast.mcafee.com; 127.0.0.1 www.tecno-soft.com;
      127.0.0.1 ladooscuro.es; 127.0.0.1 ftp.drweb.com;
      127.0.0.1 download.microsoft.comguru0.grisoft.cz;
      127.0.0.1 guru1.grisoft.cz; 127.0.0.1 guru2.grisoft.cz;
      127.0.0.1 guru3.grisoft.cz; 127.0.0.1 download.bleepingcomputer.com;
      127.0.0.1 it.answers.yahoo.com; 127.0.0.1 www.softonic.com;
      127.0.0.1 guru4.grisoft.cz; 127.0.0.1 guru5.grisoft.cz;
      127.0.0.1 www.virusspy.com; 127.0.0.1 www.download.f-secure.com;
      127.0.0.1 www.malwareremoval.com; 127.0.0.1 forums.cnet.com;
      127.0.0.1 foros.softonic.com; 127.0.0.1 hjt-data.trend-braintree.com;
      127.0.0.1 www.pantip.com; 127.0.0.1 secubox.aldria.com;
      127.0.0.1 www.forospyware.com; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 www.zonavirus.com; 127.0.0.1 www.leforo.com;
      127.0.0.1 www.siteadvisor.com; 127.0.0.1 blog.threatfire.com;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 blog.hispasec.com;
      127.0.0.1 www.configurarequipos.com; 127.0.0.1 sosvirus.changelog.fr;
      127.0.0.1 www.psicofxp.com; 127.0.0.1 mailcenter.rising.com.cn;
      127.0.0.1 mailcenter.rising.com; 127.0.0.1 www.rising.com.cn;
      127.0.0.1 www.rising.com; 127.0.0.1 www.babooforum.com.br;
      127.0.0.1 www.runscanner.net; 127.0.0.1 www.blogschapines.com;
      127.0.0.1 sosvirus.changelog.fr; 127.0.0.1 upload.changelog.fr;
      127.0.0.1 www.raymond.cc; 127.0.0.1 changelog.fr;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 atazita.blogspot.com;
      127.0.0.1 www.thinkpad.cn; 127.0.0.1 www.final4ever.com;
      127.0.0.1 files.filefont.com; 127.0.0.1 www.infos-du-net.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 forum.hardware.fr;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 blogs.icerocket.com;
      127.0.0.1 www.spychecker.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 forums.maddoktor2.com; 127.0.0.1 www.smokey-services.eu;
      127.0.0.1 www.clubic.com; 127.0.0.1 www.linhadefensiva.org;
      127.0.0.1 www.rolandovera.com; 127.0.0.1 download.sysinternals.com;
      127.0.0.1 www.pcguide.com; 127.0.0.1 www.thetechguide.com;
      127.0.0.1 www.ozzu.com; 127.0.0.1 www.changedetection.com;
      127.0.0.1 espanol.groups.yahoo.com; 127.0.0.1 www.sunbeltsecurity.com;
      127.0.0.1 community.thaiware.com; 127.0.0.1 www.avpclub.ddns.info;
      127.0.0.1 www.offensivecomputing.net; 127.0.0.1 www.grisoft.com;
      127.0.0.1 boardreader.com; 127.0.0.1 www.guiadohardware.net;
      127.0.0.1 www.msnvirusremoval.com; 127.0.0.1 www.cisrt.org;
      127.0.0.1 fixmyim.com; 127.0.0.1 samroeng.hi5.com;
      127.0.0.1 foro.elhacker.net; 127.0.0.1 www.daboweb.com;
      127.0.0.1 service1.symantec.com; 127.0.0.1 forums.techguy.org;
      127.0.0.1 www.incodesolutions.com;
      127.0.0.1 hijackthis.download3000.com;
      127.0.0.1 www.cybertechhelp.com; 127.0.0.1 www.superdicas.com.br;
      127.0.0.1 www.51nb.com; 127.0.0.1 downloads.andymanchesta.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 info.prevx.com;
      127.0.0.1 aknow.prevx.com; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 securitywonks.net; 127.0.0.1 www.yoreparo.com;
      127.0.0.1 www.lavasoft.com; 127.0.0.1 www.virscan.org;
      127.0.0.1 www.eeload.com; 127.0.0.1 down.www.kingsoft.com;
      127.0.0.1 www.file.net; 127.0.0.1 onecare.live.com;
      127.0.0.1 mvps.org; 127.0.0.1 www.laneros.com;
      127.0.0.1 www.housecall.trendmicro.com; 127.0.0.1 www.avast.com;
      127.0.0.1 www.free.avg.com; 127.0.0.1 www.onlinescan.avast.com;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.trucoswindows.net;
      127.0.0.1 www.mozilla-hispano.org;
      127.0.0.1 www.futurenow.bitdefender.com;
      127.0.0.1 www.bitdefender.com; 127.0.0.1 www.f-prot.com;
      127.0.0.1 www.trendsecure.com; 127.0.0.1 security.symantec.com;
      127.0.0.1 oldtimer.geekstogo.com; 127.0.0.1 www.avira.com;
      127.0.0.1 www.eset.com; 127.0.0.1 www.free.avg.com;
      127.0.0.1 www.free-av.com; 127.0.0.1 kr.ahnlab.com;
      127.0.0.1 www.eset.com; 127.0.0.1 forospyware.com;
      127.0.0.1 thejokerx.blogspot.com; 127.0.0.1 www.2-spyware.com;
      127.0.0.1 www.antivir.es; 127.0.0.1 www.prevx.com;
      127.0.0.1 www.ikarus.net; 127.0.0.1 bbs.s-sos.net;
      127.0.0.1 www.housecall.trendmicro.com;
      127.0.0.1 www.superdicas.com.br; 127.0.0.1 www.forums.majorgeeks.com;
      127.0.0.1 www.castlecops.com; 127.0.0.1 www.virusspy.com;
      127.0.0.1 andymanchesta.com; 127.0.0.1 www.kaspersky.es;
      127.0.0.1 subs.geekstogo.com; 127.0.0.1 www.forospanish.com;
      127.0.0.1 www.trendmicro.com; 127.0.0.1 www.fortinet.com;
      127.0.0.1 www.safer-networking.org;
      127.0.0.1 www.fortiguardcenter.com; 127.0.0.1 www.dougknox.com;
      127.0.0.1 www.vsantivirus.com; 127.0.0.1 www.firewallguide.com;
      127.0.0.1 www.auditmypc.com; 127.0.0.1 www.spywaredb.com;
      127.0.0.1 www.mxttchina.com; 127.0.0.1 www.ziggamza.net;
      127.0.0.1 www.forospyware.es; 127.0.0.1 pogonyuto.forospanish.com;
      127.0.0.1 www.antivirus.comodo.com;
      127.0.0.1 www.spywareterminator.com;
      127.0.0.1 www.eradicatespyware.net;
      127.0.0.1 www.freespywareremoval.info;
      127.0.0.1 www.personalfirewall.comodo.com; 127.0.0.1 www.clamav.net;
      127.0.0.1 www.antivirus.about.com; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 www.webphand.com; 127.0.0.1 mx.answers.yahoo.com;
      127.0.0.1 www.securitywonks.net; 127.0.0.1 www.sandboxie.com;
      127.0.0.1 www.clamwin.com; 127.0.0.1 www.cwsandbox.org;
      127.0.0.1 www.ca.com; 127.0.0.1 www.arswp.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.trucoswindows.es;
      127.0.0.1 www.networkworld.com; 127.0.0.1 www.cddchiangmai.net;
      127.0.0.1 www.threatexpert.com; 127.0.0.1 www.norman.com;
      127.0.0.1 espanol.answers.yahoo.com; 127.0.0.1 www.tallemu.com;
      127.0.0.1 virscan.org; 127.0.0.1 www.viruschief.com;
      127.0.0.1 scanner.virus.org; 127.0.0.1 www.hijackthis.de;
      127.0.0.1 housecall65.trendmicro.com;
      127.0.0.1 www.guiadohardware.net; 127.0.0.1 forums.whatthetech.com;
      127.0.0.1 hjt.networktechs.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.whatthetech.com; 127.0.0.1 www.soccersuck.com;
      127.0.0.1 www.pcentraide.com; 127.0.0.1 comunidad.wilkinsonpc.com.co;
      127.0.0.1 forum.piriform.com; 127.0.0.1 www.tweaksforgeeks.com;
      127.0.0.1 www.daniweb.com; 127.0.0.1 www.geekstogo.com;
      127.0.0.1 es.answers.yahoo.com; 127.0.0.1 www.techsupportforum.com;
      127.0.0.1 www.pchell.com; 127.0.0.1 www.spyany.com;
      127.0.0.1 forums.techguy.org; 127.0.0.1 www.experts-exchange.com;
      127.0.0.1 www.wikio.es; 127.0.0.1 www.pandasecurity.com;
      127.0.0.1 forums.devshed.com; 127.0.0.1 forum.tweaks.com;
      127.0.0.1 www.wilderssecurity.com; 127.0.0.1 www.techspot.com;
      127.0.0.1 www.thecomputerpitstop.com; 127.0.0.1 es.wasalive.com;
      127.0.0.1 secunia.com; 127.0.0.1 es.kioskea.net;
      127.0.0.1 www.taringa.net; 127.0.0.1 www.cyberdefender.com;
      127.0.0.1 www.feedage.com; 127.0.0.1 new.taringa.net;
      127.0.0.1 forum.zazana.com; 127.0.0.1 forum.clubedohardware.com.br;
      127.0.0.1 www.computing.net; 127.0.0.1 discussions.virtualdr.com;
      127.0.0.1 forum.securitycadets.com; 127.0.0.1 www.techimo.com;
      127.0.0.1 13iii.com; 127.0.0.1 www.dicasweb.com.br;
      127.0.0.1 www.infosecpodcast.com; 127.0.0.1 www.usbcleaner.cn;
      127.0.0.1 www.net-security.org; 127.0.0.1 www.bleedingthreats.net;
      127.0.0.1 acs.pandasoftware.com; 127.0.0.1 www.funkytoad.com;
      127.0.0.1 www.360safe.cn; 127.0.0.1 www.360safe.com;
      127.0.0.1 bbs.360safe.cn; 127.0.0.1 bbs.360safe.com;
      127.0.0.1 codehard.wordpress.com;
      127.0.0.1 forum.clubedohardware.com.br; 127.0.0.1 www.360.cn;
      127.0.0.1 www.360.com; 127.0.0.1 bbs.360safe.cn;
      127.0.0.1 bbs.360safe.com; 127.0.0.1 www.forospyware.es;
      127.0.0.1 p3dev.taringa.net; 127.0.0.1 www.precisesecurity.com;
      127.0.0.1 baike.360.cn; 127.0.0.1 baike.360.com;
      127.0.0.1 kaba.360.cn; 127.0.0.1 kaba.360.com;
      127.0.0.1 deckard.geekstogo.com; 127.0.0.1 www.taringa.net;
      127.0.0.1 forums.comodo.com; 127.0.0.1 www.mvps.org;
      127.0.0.1 down.360safe.cn; 127.0.0.1 down.360safe.com;
      127.0.0.1 x.360safe.com; 127.0.0.1 dl.360safe.com;
      127.0.0.1 ftp.drweb.com; 127.0.0.1 www.hotshare.net;
      127.0.0.1 es.wasalive.com; 127.0.0.1 free.antivirus.com;
      127.0.0.1 updatem.360safe.com; 127.0.0.1 updatem.360safe.cn;
      127.0.0.1 update.360safe.cn; 127.0.0.1 update.360safe.com;
      127.0.0.1 www.utilidades-utiles.com; 127.0.0.1 forum.kaspersky.com;
      127.0.0.1 bbs.duba.net; 127.0.0.1 www.duba.net;
      127.0.0.1 zhidao.baidu.com; 127.0.0.1 hi.baidu.com;
      127.0.0.1 www.drweb.com.es; 127.0.0.1 msncleaner.softonic.com;
      127.0.0.1 www.javacoolsoftware.com; 127.0.0.1 file.ikaka.com;
      127.0.0.1 file.ikaka.cn; 127.0.0.1 bbs.ikaka.com;
      127.0.0.1 zhidao.ikaka.com; 127.0.0.1 www.eset-la.com;
      127.0.0.1 www.eset-la.com; 127.0.0.1 software-files.download.com;
      127.0.0.1 www.ikaka.com; 127.0.0.1 www.ikaka.cn;
      127.0.0.1 bbs.cfan.com.cn; 127.0.0.1 www.cfan.com.cn;
      127.0.0.1 www.pandasecurity.com; 127.0.0.1 es.mcafee.com;
      127.0.0.1 downloads.malwarebytes.org; 127.0.0.1 bbs.kafan.cn;
      127.0.0.1 bbs.kafan.com; 127.0.0.1 bbs.kpfans.com;
      127.0.0.1 bbs.taisha.org; 127.0.0.1 www.manuelruvalcaba.com;
      127.0.0.1 support.f-secure.com; 127.0.0.1 bbs.winzheng.com;
      127.0.0.1 alerta-antivirus.inteco.es; 127.0.0.1 foros.zonavirus.com;
      127.0.0.1 alerta-antivirus.red.es; 127.0.0.1 www.zonavirus.com;
      127.0.0.1 www.malwarebytes.org; 127.0.0.1 www.commentcamarche.net;
      127.0.0.1 www.ewido.net; 127.0.0.1 www.infospyware.com;
      127.0.0.1 www.bitdefender.es; 127.0.0.1 housecall.trendmicro.com;
      127.0.0.1 foros.toxico-pc.com; 127.0.0.1 www.emsisoft.de;
      127.0.0.1 www.securitynewsportal.com

Processi terminati Lista dei processi che vengono terminati:
   • VIPRE.EXE; ISSDM_EN_32.EXE; P08PROMO.EXE; K7TS_SETUP.EXE;
      AVINSTALL.EXE; WITSETUP.EXE; TrendMicro_TISPro_16.1_1063_x32.EXE;
      VBA32-PERSONAL-LATEST-ENGLISH.EXE; FSMB32.EXE; FSGK32.EXE; FSAV95.EXE;
      FSAV530WTBYB.EXE; FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE;
      FPROT.EXE; FP-WIN.EXE; FNRB32.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE;
      FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; AFMAIN.EXE;
      SPIDERUI.EXE; SPIDERNT.EXE; ALERTMAN.EXE; RAVMOND.EXE; MAKEREPORT.EXE;
      BOXMOD.EXE; 360SAFE.EXE; 360RPT.EXE; 360HOTFIX.EXE; 360TRAY.EXE;
      NSVMON.NPC; NSAVSVC.NPC; NPCGREENAGENT.NPC; PUSCAN.EXE;
      AYSERVICENT.AYE; AYAGENT.AYE; CMDAGENT.EXE; CPF.EXE; VSMON.EXE;
      ZLCLIENT.EXE; NSUTILITY.EXE; NSPUPDT.EXE; NAVQSCAN.EXE; NSPMAIN.EXE;
      NSPUPSVC.EXE; NSPSVC.EXE; MKSADMINCONSOLE.EXE; MKSUPDATE.EXE;
      MKSPC.EXE; MKSFWALL.EXE; MKSVIRMONSVC.EXE; MKS_SCAN.EXE; MKS_MAIL.EXE;
      MKSREGMON.EXE; KAVPFW.EXE; KASMAIN.EXE; KAV32.EXE; KPFWSVC.EXE;
      KISSVC.EXE; KWATCH.EXE; KPFW32.EXE; KAVSTART.EXE; KVSRVXP.EXE;
      KVOL.EXE; KVXP.KXP; KVMONXP.KXP; CAVASM.EXE; CMAIN.EXE;
      ARCABIT.CORE.LOGGINGSERVICE.EXE; ARCABIT.CORE.CONFIGURATOR2.EXE;
      TASKSCHEDULER.EXE; UPDATE.EXE; NETMONSV.EXE; FILEMONSV.EXE;
      ABREGMON.EXE.EXE; ARCACHECK.EXE; ARCAVIR.EXE; AVMENU.EXE;
      A2HIJACKFREE.EXE; A2SERVICE.EXE; A2START.EXE; A2SCAN.EXE; A2GUARD.EXE;
      VRFWSVC.EXE; HFACSVC.EXE; VRMONSVC.EXE; HPCSVC.EXE; HSVCMOD.EXE;
      VRMONNT.EXE; VBA32ADS.EXE; VBA32LDR.EXE; FILELOCKSETUP.EXE;
      TSCFCOMMANDER.EXE; TMPROXY.EXE; TMPFW.EXE; TMBMSRV.EXE; UFNAVI.EXE;
      UFSEAGNT.EXE; MKSTRAY.EXE; TISSPWIZ.EXE; SFCTLCOM.EXE; TNBUTIL.EXE;
      DEFWATCH.EXE; RTVSCAN.EXE; SBAMSVC.EXE; SBAMUI.EXE; SBAMTRAY.EXE;
      SAVADMINSERVICE.EXE; SAVSERVICE.EXE; SCFSERVICE.EXE; SCFMANAGER.EXE;
      RAVTASK.EXE; CCENTER.EXE; ULIBCFG.EXE; RAVLITE.EXE;
      PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE; PCTSAUXS.EXE;
      PCTSTRAY.EXE; PCTSSVC.EXE; PCTSGUI.EXE; AVGAS.EXE; PAVBCKPT.EXE;
      WEBPROXY.EXE; PAVSRV51.EXESRVLOAD.EXE; PSIMSVC.EXE; PSHOST.EXE;
      AVENGINE.EXE; PSKMSSVC.EXE; PAVPRSRV.EXE; PAVFNSVR.EXE; PSCTRLS.EXE;
      TPSRV.EXE; NOD32M2.EXE; NOD32CC.EXE; NOD32.EXE; NMAIN.EXE;
      NOD32KUI.EXE; MSASCUI.EXE; MSMPENG.EXE; MCUPDATE.EXE; MCSHIELD.EXE;
      MCVSSHLD.EXE; MCVSRTE.EXE; MCAGENT.EXE; KAVSVC.EXE; KAV.EXE;
      K7TSMNGR.EXE; K7SPMSRC.EXE; K7RTSCAN.EXE; K7PSSRVC.EXE; K7FWSRVC.EXE;
      K7EMLPXY.EXE; K7TSECURITY.EXE; K7SYSTRY.EXE; VIRUSUTILITIES.EXE;
      GUARDXSERVICE.EXE; GUARDXKICKOFF.EXE; AVKWCTL.EXE;
      AVKTUNERSERVICE.EXE; AVKSERVICE.EXE; GDFWSVC.EXE; AVKPROXY.EXE;
      GDFIRE~1.EXE; AVKTRAY.EXE; GDFIREWALLTRAY.EXE; FSAUA.EXE; FSDFWD.EXE;
      FSGK32ST.EXE; FSM32.EXE; FPWIN.EXE; FPAVSERVER.EXE; FPROTTRAY.EXE;
      INICIO.EXE; NOD32KRN.EXE; FSMA32.EXE; APVXDWIN.EXE; UMXPOL.EXE;
      UMXFWHLP.EXE; UMXAGENT.EXE; UMXCFG.EXE; PPCLTPRIV.EXE; SVCPRS32.EXE;
      ITMRTSVC.EXE; CCPROVSP.EXE; MDMCLS32.EXE; CAGLOBALLIGHT.EXE;
      CAPFUPGRADE.EXE; CAPFASEM.EXE; CAFW.EXE; CFGMNG32.EXE; CCTRAY.EXE;
      CLAMTRAY.EXE; CLAMWIN.EXE; ALSVC.EXE; ALMON.EXE; DRWEBSCD.EXE;
      SPIDERML.EXE; DRWEB32W.EXE; ACS.EXE; STRTSVC.EXE; OP_MON.EXE;
      SENSOR.EXE; QHFW332.EXE; CATEYE.EXE; ONLNSVC.EXE; EMLPROUI.EXE;
      UPSCHD.EXE; SCANMSG.EXE; SCANWSCS.EXE; EMLPROXY.EXE; ONLINENT.EXE;
      ASWCLNR.EXE; BDAGENT.EXE; VSSERV.EXE; LIVESRV.EXE; XCOMMSVR.EXE;
      UISCAN.EXE; BDSS.EXE; AVGCMGR.EXE; AVGWSRV.EXE; AVGUI.EXE;
      AVGSCANX.EXE; AVGUPSVC.EXE; AVGAMSVR.EXE; AVGUPD.EXE; AVGTRAY.EXE;
      AVGFRW.EXE; AVGEMC.EXE; AVGNSX.EXE; AVGRSX.EXE; AVGWDSVC.EXE;
      ASHWEBSV.EXE; ASHMAISV.EXE; ASWUPDSV.EXE; ASHSERV.EXE; ASHDISP.EXE;
      AVCENTER.EXE; SCHED.EXE; AVIRARKD.EXE; AVGNT.EXE; AVGUARD.EXE;
      AHNSDSV.EXE; ACAIS.EXE; ACALS.EXE; ACAEGMGR.EXE; QOELOADER.EXE;
      ACAAS.EXE; QUHLPSVC.EXE; AVGCSRVX.EXE; 123.EXE;
      RAVP.EXEMBAM.EXE123.COM; UNIEXTRACT.EXE; SYSANALYZER_SETUP.EXE;
      STARTDRECK.EXE; SPF.EXE; REGX2.EXE; REGSHOT.EXE; REGSCANNER.EXE;
      REGISTRAR_LITE.EXE; REGCOOL.EXE; REGALYZ.EXE;
      PROJECTWHOISINSTALLER.EXE; PROCMON.EXE; CUREIT.EXE; FIXBAGLE.EXE;
      PGSETUP.EXE; OBJMONSETUP.EXE; NETALYZ.EXE; KILLBOX.EXE;
      INSTALLWATCHPRO25.EXE; AVENGER.EXE; IEFIX.EXE; HOSTSFILEREADER.EXE;
      FIXPATH.EXE; FILEFIND.EXE; FILEALYZ.EXE; EULALYZERSETUP.EXE;
      A2HIJACKFREESETUP.EXE; DLLCOMPARE.EXE; CPROCESS.EXE; CPORTS.EXE;
      ASVIEWER.EXE; APT.EXE; APM.EXE; WIRESHARK.EXE; SPYBOTSD.EXE;
      TEATIMER.EXE; SPYBOTSD160.EXE; PROCESSMONITOR.EXE; PROCDUMP.EXE;
      PG2.EXE; LORDPE.EXE; ICESWORD.EXE; REANIMATOR.EXE; ROOTKITNO.EXE;
      RKD.EXE; HACKMON.EXE; UNHACKME.EXE; ROOTKIT_DETECTIVE.EXE;
      AVGARKT.EXE; FSB.EXE; FSBL.EXE; ROOTKITREVEALER.EXE; PSKILL.EXE;
      TASKMON.EXE; TASKLIST.EXE; TASKMAN.EXE; PROCEXP.EXE; MSNFIX.EXE;
      HIJACKTHIS_V2.EXE; HIJACKTHIS.EXE; HIJACKTHIS_SFX.EXE; HJTSETUP.EXE;
      HJTINSTALL.EXE; OLLYDBG.EXE; NETSTAT.EXE; PORTMONITOR.EXE;
      PORTDETECTIVE.EXE; FPORT.EXE; APORTS.EXE; PAVARK.EXE; DARKSPY105.EXE;
      HELIOS.EXE; ROOTKITBUSTER.EXE; ROOTALYZER.EXE; BC5CA6A.EXE; SEEM.EXE;
      DELAYDELFILE.EXE; DUBATOOL_AV_KILLER.EXE; SUPERKILLER.EXE;
      KAKASETUPV6.EXE; BUSCAREG.EXE; MSNCLEANER.EXE; SRESTORE.EXE;
      BOOTSAFE.EXE; SUPERANTISPYWARE.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; CF9409.EXE; GMER.EXE;
      CATCHME.EXE; SDFIX.EXE; COMBOFIX.EXE; SRENGPS.EXE; AUTORUNS.EXE;
      TASKKILL.EXE; REG.EXE; MYPHOTOKILLER.EXE; KILLAUTOPLUS.EXE;
      FOLDERCURE.EXE; REGEDIT.SCR; REGEDIT.COM; TCPVIEW.EXE; LISTO.EXE;
      GUARD.EXE; NTVDM.EXE; COMMAND.COM; COMBOFIX.COM; COMBOFIX.SCR;
      COMBOFIX.BAT; COMBO-FIX.EXE; REGMON.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE;
      JAJA.EXE; AVZ.EXE; MBAM.EXE; MBAM-SETUP.EXE; PENCLEAN.EXE; ELISTA.EXE;
      HJ.EXE; WINDOWS-KB890930-V2.2.EXE; MRTSTUB.EXE; MRT.EXE;
      HIJACK-THIS.EXE; VIRUS.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE;
      ATF-CLEANER.EXE; COMPAQ_PROPIETARIO.EXE; REGUNLOCKER.EXE;
      UNLOCKERASSISTANT.EXE; UNLOCKER.EXE; SRENGLDR.EXE; HOOKANLZ.EXE;
      UNLOCKER1.8.7.EXE

Come il virus si inserisce nei processi – Si inserisce come thread in un processo.

Nome del processo:
• explorer.exe

Dettagli del file Linguaggio di programmazione:
Il malware è stato scritto in Delphi.

Descrizione inserita da Petre Galan su martedì 23 febbraio 2010
Descrizione aggiornata da Andrei Ivanes su martedì 23 febbraio 2010

Indietro . . . .

La migliore protezione per PC

Prodotti gratuiti

I prodotti piu conosciuti

Tutti i prodotti

Soluzioni unificate

Postazioni lavoro

Server

Soluzioni unificate

Mail Gateways

Web Gateways

Piattaforme di collaborazione

Per utenti privati

Per aziende

Virus Lab

Ulteriore supporto

Diventa un Partner di Avira

Per utenti privati

Per aziende

Desideri provare un prodotto?

Manuali e Strumenti