Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:TR/Dldr.Agent.dadr
Scoperto:27/01/2010
Tipo:Trojan
Sottotipo:Downloader
In circolazione (ITW):Si
Numero delle infezioni segnalate:Medio-Basso
Potenziale di propagazione:Medio
Potenziale di danni:Medio
File statico:Si
Dimensione del file:143.360 Byte
Somma di controllo MD5:c715907b7cf47fbcec0d703f1eaaf57d
Versione IVDF:7.10.03.109 - mercoledì 27 gennaio 2010

 Generale Metodi di propagazione:
    Funzione di esecuzione automatica
   • Rete locale
    Messenger


Alias:
   •  Mcafee: W32/Spybot.worm
   •  Sophos: Troj/DwnLdr-IAF
   •  Panda: Bck/IRCBot.CUM
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Trojan.Generic.3005912


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003


Effetti secondari:
   • Blocca l'accesso a certi siti web
   • Blocca l'accesso a siti web di sicurezza
   • Scarica un file maligno
   • Duplica file maligni
   • Abbassa le impostazioni di sicurezza
   • Modifica del registro
   • Accesso e controllo del computer da parte di terzi

 File Si copia alle seguenti posizioni:
   • %SYSDIR%\stacsv.exe
   • %unit disco%\tmpdata.exe



Cancella la copia di se stesso eseguita inizialmente.



Cancella il seguente file:
   • %SYSDIR%\drivers\etc\hosts



Viene creato il seguente file:

%unit disco%\autorun.inf Questo un file di testo non maligno con il seguente contenuto:
   •




Prova a scaricare dei file:

La posizione la seguente:
   • http://all.messenger-update.ru/**********


La posizione la seguente:
   • http://rix.messenger-update.ru/**********




Prova ad eseguire i seguenti file:

Nome del file:
   • ipconfig /flushdns


Nome del file:
   • sc delete K7RTScan


Nome del file:
   • CMD /C sc stop K7TSMngr


Nome del file:
   • CMD /C sc config K7TSMngr start= disabled


Nome del file:
   • net stop K7TSMngr


Nome del file:
   • sc stop K7TSMngr


Nome del file:
   • CMD /C sc delete K7TSMngr


Nome del file:
   • net1 stop K7TSMngr


Nome del file:
   • sc config K7TSMngr start= disabled


Nome del file:
   • CMD /C net stop "avast! Antivirus"


Nome del file:
   • sc delete K7TSMngr


Nome del file:
   • CMD /C net stop K7RTScan


Nome del file:
   • CMD /C sc stop "avast! Antivirus"


Nome del file:
   • net stop "avast! Antivirus"


Nome del file:
   • CMD /C sc config "avast! Antivirus" start= disabled


Nome del file:
   • sc stop "avast! Antivirus"


Nome del file:
   • CMD /C sc delete "avast! Antivirus"


Nome del file:
   • net1 stop "avast! Antivirus"


Nome del file:
   • sc config "avast! Antivirus" start= disabled


Nome del file:
   • CMD /C net stop SAVService


Nome del file:
   • sc delete acssrv


Nome del file:
   • CMD /C sc stop SAVService


Nome del file:
   • CMD /C sc stop K7RTScan


Nome del file:
   • net stop SAVService


Nome del file:
   • CMD /C sc config SavService start= disabled


Nome del file:
   • sc stop SAVService


Nome del file:
   • CMD /C sc delete SAVService


Nome del file:
   • net1 stop SAVService


Nome del file:
   • sc config SavService start= disabled


Nome del file:
   • CMD /C net stop SAVAdminService


Nome del file:
   • sc delete SAVService


Nome del file:
   • CMD /C sc stop SAVAdminService


Nome del file:
   • net stop SAVAdminService


Nome del file:
   • CMD /C sc config K7RTScan start= disabled


Nome del file:
   • CMD /C sc config SAVAdminService start= disabled


Nome del file:
   • CMD /C sc delete SAVAdminService


Nome del file:
   • sc stop SAVAdminService


Nome del file:
   • net1 stop SAVAdminService


Nome del file:
   • sc config SAVAdminService start= disabled


Nome del file:
   • CMD /C net stop "Sophos AutoUpdate Service"


Nome del file:
   • sc delete SAVAdminService


Nome del file:
   • CMD /C sc stop "Sophos AutoUpdate Service"


Nome del file:
   • net stop "Sophos AutoUpdate Service"


Nome del file:
   • CMD /C sc config "Sophos AutoUpdate Service" start= disabled


Nome del file:
   • net stop K7RTScan


Nome del file:
   • CMD /C sc delete "Sophos AutoUpdate Service"


Nome del file:
   • sc stop "Sophos AutoUpdate Service"


Nome del file:
   • net1 stop "Sophos AutoUpdate Service"


Nome del file:
   • sc config "Sophos AutoUpdate Service" start= disabled


Nome del file:
   • CMD /C net stop "Sophos Client Firewall"


Nome del file:
   • sc delete "Sophos AutoUpdate Service"


Nome del file:
   • CMD /C sc stop "Sophos Client Firewall"


Nome del file:
   • net stop "Sophos Client Firewall"


Nome del file:
   • CMD /C sc config "Sophos Client Firewall" start= disabled


Nome del file:
   • sc stop "Sophos Client Firewall"


Nome del file:
   • sc stop K7RTScan


Nome del file:
   • CMD /C sc delete "Sophos Client Firewall"


Nome del file:
   • sc config "Sophos Client Firewall" start= disabled


Nome del file:
   • net1 stop "Sophos Client Firewall"


Nome del file:
   • CMD /C net stop "Sophos Client Firewall Manager"


Nome del file:
   • sc delete "Sophos Client Firewall"


Nome del file:
   • CMD /C sc stop "Sophos Client Firewall Manager"


Nome del file:
   • net stop "Sophos Client Firewall Manager"


Nome del file:
   • CMD /C sc config "Sophos Client Firewall Manager" start= disabled


Nome del file:
   • sc stop "Sophos Client Firewall Manager"


Nome del file:
   • CMD /C sc delete "Sophos Client Firewall Manager"


Nome del file:
   • CMD /C sc delete K7RTScan


Nome del file:
   • net1 stop "Sophos Client Firewall Manager"


Nome del file:
   • sc config "Sophos Client Firewall Manager" start= disabled


Nome del file:
   • sc delete "Sophos Client Firewall Manager"


Nome del file:
   • sc config K7RTScan start= disabled


Nome del file:
   • net1 stop K7RTScan


Nome del file:
   • CMD /C net stop K7TSMngr

 Registro Viene aggiunta nel registro la seguente chiave con lo scopo di eseguire il processo dopo il riavvio:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



Crea le seguenti righe con lo scopo di bypassare il firewall di Windows XP:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\stacsv.exe"="%SYSDIR%\stacsv.exe:*:Enabled:DHCP Router"



Vengono aggiunte le seguenti chiavi di registro:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="stacsv.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\stacsv.exe"="DisableNXShowUI"

 Messenger Si diffonde via Messenger. Le caratteristiche sono descritte sotto:

 MSN Messenger
 Yahoo Messenger

L'URL si riferisce cos a una copia del malware descritto. Se l'utente scarica ed esegue questo file, il processo virale ricomincia di nuovo.

 Infezione della rete Per assicurarsi la propria propagazione, il malware tenta di connettersi ad altre macchine come descritto qui sotto:


Exploit:
Sfrutta le seguenti vulnerabilit:
– MS04-007 (ASN.1 Vulnerability)
 MS06-040 (Vulnerability in Server Service)


Generazione dell'indirizzo IP:
Crea degli indirizzi IP casuali mentre mantiene il primo ottetto dal proprio indirizzo. In seguito prova a stabilire una connessione con gli indirizzi creati.

 IRC Per inviare informazioni sul sistema e per fornire il controllo remoto, si connette ai seguenti server IRC:

Server: srv3.fas**********.info
Porta: 6501
Canale: #nase#
Nickname: USA|NS4|0|XP|%numero%

Server: srv3.man**********.ru
Porta: 41350
Canale: #nase#
Nickname: USA|NS4|0|XP|%numero%

Server: srv3.cor**********.info
Porta: 7302
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.mes**********.ru
Porta: 31960
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.fas**********.info
Porta: 31960
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.spi**********.info
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.tra**********.info
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.tri**********.info
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.pde**********.info
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

Server: srv3.fxp**********.info
Canale: #nase#
Nickname: N|USA|NS4|0|XP|%numero%

 Host L'host del file viene modificato come spiegato:

L'accesso ai seguenti domini reindirizzato ad altre destinazioni:
   • 171.168.85.149 msnfix.changelog.fr;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 virusinfo.prevx.com;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 www.dazhizhu.cn; 171.168.85.149 foro.noticias3d.com;
      171.168.85.149 www.spybotupdates.com; 171.168.85.149 club.myce.com;
      171.168.85.149 www.k7computing.com;
      171.168.85.149 softwaresecuritysolutions.com;
      171.168.85.149 www.nabble.com; 171.168.85.149 lurker.clamav.net;
      171.168.85.149 lexikon.ikarus.at;
      171.168.85.149 research.sunbelt-software.com;
      171.168.85.149 www.virusdoctor.jp; 171.168.85.149 www.elitepvpers.de;
      171.168.85.149 guru.avg.com; 171.168.85.149 downloads.sophos.com;
      171.168.85.149 share.skype.com; 171.168.85.149 myantispyware.com;
      171.168.85.149 www.computerhilfen.de;
      171.168.85.149 www.superuser.co.kr; 171.168.85.149 ntfaq.co.kr;
      171.168.85.149 v.dreamwiz.com; 171.168.85.149 cit.kookmin.ac.kr;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 forum.hijackthis.de; 171.168.85.149 avg.vo.llnwd.net;
      171.168.85.149 ftp.drweb.com; 171.168.85.149 www.zonealarm.com;
      171.168.85.149 smadaver.com; 171.168.85.149 support.emsisoft.com;
      171.168.85.149 www.huaifai.go.th; 171.168.85.149 www.mostz.com;
      171.168.85.149 www.krupunmai.com; 171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 forum.malekal.com; 171.168.85.149 tech.pantip.com;
      171.168.85.149 sapcupgrades.com;
      171.168.85.149 www.elguruinformatico.com;
      171.168.85.149 forums.avg.com; 171.168.85.149 zastita.com;
      171.168.85.149 support.kaspersky.com; 171.168.85.149 www.247fixes.com;
      171.168.85.149 forum.sysinternals.com;
      171.168.85.149 forum.telecharger.01net.com; 171.168.85.149 sophos.com;
      171.168.85.149 foros.softonic.com;
      171.168.85.149 avast-home.uptodown.com;
      171.168.85.149 dr-web-cureit.softonic.com;
      171.168.85.149 heavenward.ru; 171.168.85.149 forum.smadav.net;
      171.168.85.149 www.forum.kaspersky.com;
      171.168.85.149 www.f-secure.com; 171.168.85.149 www.chkrootkit.org;
      171.168.85.149 diamondcs.com.au; 171.168.85.149 www.rootkit.nl;
      171.168.85.149 www.sysinternals.com; 171.168.85.149 z-oleg.com;
      171.168.85.149 espanol.dir.groups.yahoo.com;
      171.168.85.149 ftp01net.telechargement.fr;
      171.168.85.149 modelayu.com; 171.168.85.149 vaksin.com;
      171.168.85.149 bbs.kaspersky.com.cn;
      171.168.85.149 www.castlecrops.com; 171.168.85.149 www.misec.net;
      171.168.85.149 safecomputing.umn.edu;
      171.168.85.149 www.antirootkit.com; 171.168.85.149 www.greatis.com;
      171.168.85.149 ar.answers.yahoo.com; 171.168.85.149 www.elhacker.org;
      171.168.85.149 research.pandasecurity.com; 171.168.85.149 www.tpu.ro;
      171.168.85.149 www.pinoyden.com; 171.168.85.149 forum.avira.de;
      171.168.85.149 www.rootkit.com; 171.168.85.149 www.pctools.com;
      171.168.85.149 www.pcsupportadvisor.com;
      171.168.85.149 www.resplendence.com;
      171.168.85.149 www.personal.psu.edu; 171.168.85.149 foro.ethek.com;
      171.168.85.149 foro.elhacker.net;
      171.168.85.149 download.zonealarm.com;
      171.168.85.149 spywarehammer.com; 171.168.85.149 www.codelain.com;
      171.168.85.149 www.thaicert.org; 171.168.85.149 vil.nail.com;
      171.168.85.149 search.mcafee.com; 171.168.85.149 wwww.mcafee.com;
      171.168.85.149 download.nai.com;
      171.168.85.149 wwww.experts-exchange.com;
      171.168.85.149 www.bakunos.com; 171.168.85.149 www.darkclockers.com;
      171.168.85.149 www2.gmer.net; 171.168.85.149 ariefew.com;
      171.168.85.149 www.emsisoft.com; 171.168.85.149 forum.romeonet.ro;
      171.168.85.149 www.Merijn.org; 171.168.85.149 www.spywareinfo.com;
      171.168.85.149 www.spybot.info; 171.168.85.149 www.viruslist.com;
      171.168.85.149 www.hijackthis.de; 171.168.85.149 ftp.f-secure.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 es.trendmicro-europe.com;
      171.168.85.149 www.hvaonline.net; 171.168.85.149 forum.lowyat.net;
      171.168.85.149 kb.eset.com; 171.168.85.149 majorgeeks.com;
      171.168.85.149 www.avp.com; 171.168.85.149 www.virustotal.com;
      171.168.85.149 www.sophos.com;
      171.168.85.149 linhadefensiva.uol.com.br; 171.168.85.149 cmmings.cn;
      171.168.85.149 www.sergiwa.com; 171.168.85.149 www.el-hacker.com;
      171.168.85.149 dl2.agnitum.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 images.malwareremoval.com;
      171.168.85.149 www.avg-antivirus.net;
      171.168.85.149 www.kaspersky-labs.com;
      171.168.85.149 www.kaspersky.com;
      171.168.85.149 www.bleepingcomputer.com;
      171.168.85.149 www.free.grisoft.com;
      171.168.85.149 alerta-antivirus.inteco.es; 171.168.85.149 greatis.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 www.gmer.net;
      171.168.85.149 forum.kasperskyclub.com;
      171.168.85.149 securityresponse.symantec.com;
      171.168.85.149 www.analysis.seclab.tuwien.ac.at;
      171.168.85.149 www.symantec.com; 171.168.85.149 www.kztechs.com;
      171.168.85.149 ad-aware-se.uptodown.com;
      171.168.85.149 stdio-labs.blogspot.com;
      171.168.85.149 forum.lrytas.lt; 171.168.85.149 www.decido.de;
      171.168.85.149 wap.elakiri.com;
      171.168.85.149 liveupdate.symantecliveupdate.com;
      171.168.85.149 liveupdate.symantec.com;
      171.168.85.149 customer.symantec.com;
      171.168.85.149 update.symantec.com; 171.168.85.149 www.box.net;
      171.168.85.149 foro.el-hacker.com;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 egavisa.blogspot.com; 171.168.85.149 angui123.cn;
      171.168.85.149 beta.eset.com; 171.168.85.149 www.mcafee.com;
      171.168.85.149 www.free.avg.com; 171.168.85.149 download.mcafee.com;
      171.168.85.149 mast.mcafee.com; 171.168.85.149 www.tecno-soft.com;
      171.168.85.149 ladooscuro.es; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 download.microsoft.com;
      171.168.85.149 www.mypcsafe.com; 171.168.85.149 www.blindedbytech.com;
      171.168.85.149 kaspersky.com; 171.168.85.149 guru0.grisoft.cz;
      171.168.85.149 guru1.grisoft.cz; 171.168.85.149 guru2.grisoft.cz;
      171.168.85.149 guru3.grisoft.cz;
      171.168.85.149 download.bleepingcomputer.com;
      171.168.85.149 it.answers.yahoo.com; 171.168.85.149 www.softonic.com;
      171.168.85.149 www.mycity.rs; 171.168.85.149 cairopt.net;
      171.168.85.149 rootrepeal.googlepages.com;
      171.168.85.149 guru4.grisoft.cz; 171.168.85.149 guru5.grisoft.cz;
      171.168.85.149 www.virusspy.com; 171.168.85.149 download.f-secure.com;
      171.168.85.149 www.malwareremoval.com; 171.168.85.149 forums.cnet.com;
      171.168.85.149 foros.softonic.com; 171.168.85.149 www.freedrweb.com;
      171.168.85.149 www.kaskus.us; 171.168.85.149 rootrepeal.psikotick.com;
      171.168.85.149 thaicert.nectec.or.th;
      171.168.85.149 hjt-data.trend-braintree.com;
      171.168.85.149 www.pantip.com; 171.168.85.149 secubox.aldria.com;
      171.168.85.149 www.forospyware.com;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.leforo.com;
      171.168.85.149 www.gsmph.com; 171.168.85.149 blokvesti.net;
      171.168.85.149 www.viprasys.org; 171.168.85.149 forum.antivir-pe.de;
      171.168.85.149 www.siteadvisor.com;
      171.168.85.149 blog.threatfire.com;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 blog.hispasec.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 sosvirus.changelog.fr; 171.168.85.149 www.psicofxp.com;
      171.168.85.149 www.gsmph.net; 171.168.85.149 www.gyakorikerdesek.hu;
      171.168.85.149 us.mcafee.com; 171.168.85.149 mailcenter.rising.com.cn;
      171.168.85.149 mailcenter.rising.com;
      171.168.85.149 www.rising.com.cn; 171.168.85.149 www.rising.com;
      171.168.85.149 www.babooforum.com.br;
      171.168.85.149 www.runscanner.net;
      171.168.85.149 www.blogschapines.com; 171.168.85.149 www.zyzoom.org;
      171.168.85.149 www.avsoft.ru; 171.168.85.149 www.elakiri.com;
      171.168.85.149 sosvirus.changelog.fr;
      171.168.85.149 upload.changelog.fr; 171.168.85.149 www.raymond.cc;
      171.168.85.149 changelog.fr; 171.168.85.149 www.pcentraide.com;
      171.168.85.149 atazita.blogspot.com; 171.168.85.149 www.thinkpad.cn;
      171.168.85.149 www.sunbeltsoftware.com; 171.168.85.149 cert.inteco.es;
      171.168.85.149 www.gamexeon.com;
      171.168.85.149 nod32-antivirus.en.softonic.co;
      171.168.85.149 www.final4ever.com; 171.168.85.149 files.filefont.com;
      171.168.85.149 www.infos-du-net.com;
      171.168.85.149 www.trendsecure.com; 171.168.85.149 forum.hardware.fr;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 blogs.icerocket.com; 171.168.85.149 www.spywarefri.dk;
      171.168.85.149 alfrasha.maktoob.com; 171.168.85.149 www.eset.eu;
      171.168.85.149 www.spychecker.com; 171.168.85.149 www.geekstogo.com;
      171.168.85.149 forums.maddoktor2.com;
      171.168.85.149 www.smokey-services.eu; 171.168.85.149 www.clubic.com;
      171.168.85.149 www.linhadefensiva.org;
      171.168.85.149 www.rolandovera.com; 171.168.85.149 forum.burek.com;
      171.168.85.149 secure.sophos.com; 171.168.85.149 usa.kaspersky.com;
      171.168.85.149 download.sysinternals.com;
      171.168.85.149 www.pcguide.com; 171.168.85.149 www.thetechguide.com;
      171.168.85.149 www.ozzu.com; 171.168.85.149 www.changedetection.com;
      171.168.85.149 espanol.groups.yahoo.com;
      171.168.85.149 www.sunbeltsecurity.com;
      171.168.85.149 www.quickheal.co.in; 171.168.85.149 www.vivalared.com;
      171.168.85.149 community.thaiware.com;
      171.168.85.149 www.avpclub.ddns.info;
      171.168.85.149 www.offensivecomputing.net;
      171.168.85.149 www.grisoft.com; 171.168.85.149 boardreader.com;
      171.168.85.149 www.guiadohardware.net; 171.168.85.149 www.webroot.com;
      171.168.85.149 www.thehelper.net; 171.168.85.149 www.kaldata.com;
      171.168.85.149 vil.nai.com; 171.168.85.149 www.msnvirusremoval.com;
      171.168.85.149 www.cisrt.org; 171.168.85.149 fixmyim.com;
      171.168.85.149 samroeng.hi5.com; 171.168.85.149 foro.elhacker.net;
      171.168.85.149 www.daboweb.com; 171.168.85.149 service1.symantec.com;
      171.168.85.149 us3.download.comodo.com;
      171.168.85.149 forum.gsmhosting.com;
      171.168.85.149 www.computerforum.com;
      171.168.85.149 forums.techguy.org;
      171.168.85.149 www.incodesolutions.com;
      171.168.85.149 hijackthis.download3000.com;
      171.168.85.149 www.cybertechhelp.com;
      171.168.85.149 www.superdicas.com.br; 171.168.85.149 www.51nb.com;
      171.168.85.149 us4.download.comodo.com; 171.168.85.149 www.jbtalks.cc;
      171.168.85.149 ad13.geekstogo.com;
      171.168.85.149 downloads.andymanchesta.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 info.prevx.com;
      171.168.85.149 aknow.prevx.com; 171.168.85.149 www.zonavirus.com;
      171.168.85.149 securitywonks.net; 171.168.85.149 www.yoreparo.com;
      171.168.85.149 www.spywarecease.com;
      171.168.85.149 forum.dobreprogramy.pl;
      171.168.85.149 community.mcafee.com; 171.168.85.149 www.lavasoft.com;
      171.168.85.149 www.virscan.org; 171.168.85.149 www.eeload.com;
      171.168.85.149 down.www.kingsoft.com; 171.168.85.149 www.file.net;
      171.168.85.149 onecare.live.com; 171.168.85.149 mvps.org;
      171.168.85.149 www.laneros.com; 171.168.85.149 www.pc1news.com;
      171.168.85.149 forum.avira.com;
      171.168.85.149 downloads.novirusthanks.org;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.avast.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.onlinescan.avast.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.trucoswindows.net;
      171.168.85.149 www.mozilla-hispano.org;
      171.168.85.149 www.jackbloodforum.com;
      171.168.85.149 www.kosandpol.elakiri.com;
      171.168.85.149 www.futurenow.bitdefender.com;
      171.168.85.149 www.bitdefender.com; 171.168.85.149 www.f-prot.com;
      171.168.85.149 www.trendsecure.com;
      171.168.85.149 security.symantec.com;
      171.168.85.149 oldtimer.geekstogo.com;
      171.168.85.149 sopiansantosa.blogspot.com;
      171.168.85.149 www.fileresearchcenter.com;
      171.168.85.149 www.looktr.com; 171.168.85.149 www.avira.com;
      171.168.85.149 www.eset.com; 171.168.85.149 www.free.avg.com;
      171.168.85.149 www.free-av.com; 171.168.85.149 kr.ahnlab.com;
      171.168.85.149 www.eset.com; 171.168.85.149 forospyware.com;
      171.168.85.149 thejokerx.blogspot.com; 171.168.85.149 cairopt.net;
      171.168.85.149 oolbar.cyberdefender.com;
      171.168.85.149 golpe.dyndns.org; 171.168.85.149 www.2-spyware.com;
      171.168.85.149 www.antivir.es; 171.168.85.149 www.prevx.com;
      171.168.85.149 www.ikarus.net; 171.168.85.149 bbs.s-sos.net;
      171.168.85.149 www.housecall.trendmicro.com;
      171.168.85.149 www.superdicas.com.br;
      171.168.85.149 www.superantispyware.com;
      171.168.85.149 www.unhackme.com; 171.168.85.149 www.askmehelpdesk.com;
      171.168.85.149 www.forums.majorgeeks.com;
      171.168.85.149 www.castlecops.com; 171.168.85.149 www.virusspy.com;
      171.168.85.149 andymanchesta.com; 171.168.85.149 www.kaspersky.es;
      171.168.85.149 subs.geekstogo.com; 171.168.85.149 www.forospanish.com;
      171.168.85.149 blog.rnsafe.com; 171.168.85.149 www.regrun.com;
      171.168.85.149 irc.snahosting.net; 171.168.85.149 www.trendmicro.com;
      171.168.85.149 www.fortinet.com;
      171.168.85.149 www.safer-networking.org;
      171.168.85.149 www.fortiguardcenter.com;
      171.168.85.149 www.dougknox.com; 171.168.85.149 www.vsantivirus.com;
      171.168.85.149 static.commentcamarche.net;
      171.168.85.149 www.gyakorikerdesek.hu; 171.168.85.149 www.fixya.com;
      171.168.85.149 www.firewallguide.com;
      171.168.85.149 www.auditmypc.com; 171.168.85.149 www.spywaredb.com;
      171.168.85.149 www.mxttchina.com; 171.168.85.149 www.ziggamza.net;
      171.168.85.149 www.forospyware.es;
      171.168.85.149 pogonyuto.forospanish.com;
      171.168.85.149 spywarefiles.prevx.com;
      171.168.85.149 k2r.th3kings.net;
      171.168.85.149 www.betterantivirus.com;
      171.168.85.149 www.antivirus.comodo.com;
      171.168.85.149 www.spywareterminator.com;
      171.168.85.149 www.eradicatespyware.net;
      171.168.85.149 www.freespywareremoval.info;
      171.168.85.149 www.personalfirewall.comodo.com;
      171.168.85.149 wakoopa.com; 171.168.85.149 forum.drweb.com;
      171.168.85.149 bb1.th3kings.net;
      171.168.85.149 www.commentcamarche.net; 171.168.85.149 www.clamav.net;
      171.168.85.149 www.antivirus.about.com;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 www.webphand.com;
      171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 www.securitywonks.net;
      171.168.85.149 www.messengeradictos.com;
      171.168.85.149 www.geekpolice.net; 171.168.85.149 bub.th3kings.net;
      171.168.85.149 www.sandboxie.com; 171.168.85.149 www.clamwin.com;
      171.168.85.149 www.cwsandbox.org; 171.168.85.149 www.ca.com;
      171.168.85.149 www.arswp.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.trucoswindows.es;
      171.168.85.149 www.ipaddresser.com; 171.168.85.149 www.abgenis.net;
      171.168.85.149 www.freefixer.com; 171.168.85.149 forums.afterdawn.com;
      171.168.85.149 www.networkworld.com;
      171.168.85.149 www.cddchiangmai.net;
      171.168.85.149 www.threatexpert.com; 171.168.85.149 www.norman.com;
      171.168.85.149 espanol.answers.yahoo.com;
      171.168.85.149 www.tallemu.com; 171.168.85.149 foro.portalhacker.net;
      171.168.85.149 www.groupwhere.org;
      171.168.85.149 sniff.runescapetube.com; 171.168.85.149 virscan.org;
      171.168.85.149 www.viruschief.com; 171.168.85.149 scanner.virus.org;
      171.168.85.149 www.hijackthis.de;
      171.168.85.149 housecall65.trendmicro.com;
      171.168.85.149 www.guiadohardware.net;
      171.168.85.149 forums.whatthetech.com;
      171.168.85.149 mustlovewine.com; 171.168.85.149 www3.malekal.com;
      171.168.85.149 esetnod32antivirus.blogspot.com;
      171.168.85.149 hjt.networktechs.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 www.whatthetech.com; 171.168.85.149 www.soccersuck.com;
      171.168.85.149 www.pcentraide.com;
      171.168.85.149 comunidad.wilkinsonpc.com.co;
      171.168.85.149 forum.hocit.com; 171.168.85.149 forum.smadav.net;
      171.168.85.149 fgp.e2doo.com; 171.168.85.149 community.thaiware.com;
      171.168.85.149 forum.piriform.com;
      171.168.85.149 www.tweaksforgeeks.com; 171.168.85.149 www.daniweb.com;
      171.168.85.149 www.geekstogo.com; 171.168.85.149 es.answers.yahoo.com;
      171.168.85.149 www.techsupportforum.com;
      171.168.85.149 dnl-eu8.kaspersky-labs.com;
      171.168.85.149 www.oprekpc.com; 171.168.85.149 shv4.ath.cx;
      171.168.85.149 www.pcworld.com; 171.168.85.149 www.pchell.com;
      171.168.85.149 www.spyany.com; 171.168.85.149 forums.techguy.org;
      171.168.85.149 www.experts-exchange.com; 171.168.85.149 www.wikio.es;
      171.168.85.149 www.pandasecurity.com;
      171.168.85.149 forums.devshed.com;
      171.168.85.149 devbuilds.kaspersky-labs.com;
      171.168.85.149 hana-ahmad.blogspot.com;
      171.168.85.149 forum.tweaks.com;
      171.168.85.149 www.wilderssecurity.com;
      171.168.85.149 www.techspot.com;
      171.168.85.149 www.thecomputerpitstop.com;
      171.168.85.149 es.wasalive.com; 171.168.85.149 secunia.com;
      171.168.85.149 www.killtrojan.net; 171.168.85.149 www.ulop.net;
      171.168.85.149 www.eliters.com;
      171.168.85.149 sip4.voipkosovasite.com; 171.168.85.149 es.kioskea.net;
      171.168.85.149 www.taringa.net; 171.168.85.149 www.cyberdefender.com;
      171.168.85.149 www.feedage.com; 171.168.85.149 new.taringa.net;
      171.168.85.149 forum.zazana.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 mks.com.pl; 171.168.85.149 www.vietcaravan.us;
      171.168.85.149 trbotnet.sytes.net; 171.168.85.149 www.computing.net;
      171.168.85.149 discussions.virtualdr.com;
      171.168.85.149 forum.securitycadets.com;
      171.168.85.149 www.techimo.com; 171.168.85.149 13iii.com;
      171.168.85.149 www.dicasweb.com.br;
      171.168.85.149 www.javacoolsoftware.net; 171.168.85.149 cofradia.org;
      171.168.85.149 wasteland-bg.com; 171.168.85.149 www.windowexe.com;
      171.168.85.149 www.infosecpodcast.com;
      171.168.85.149 www.usbcleaner.cn; 171.168.85.149 www.net-security.org;
      171.168.85.149 www.bleedingthreats.net;
      171.168.85.149 acs.pandasoftware.com;
      171.168.85.149 www.funkytoad.com; 171.168.85.149 malwarebytes.org;
      171.168.85.149 sabithpocker.blogspot.com;
      171.168.85.149 comprolive.vox.com; 171.168.85.149 www.360safe.cn;
      171.168.85.149 www.360safe.com; 171.168.85.149 bbs.360safe.cn;
      171.168.85.149 bbs.360safe.com; 171.168.85.149 codehard.wordpress.com;
      171.168.85.149 forum.clubedohardware.com.br;
      171.168.85.149 antitrick.com;
      171.168.85.149 www.configurarequipos.com;
      171.168.85.149 www.jiwang.org;
      171.168.85.149 anti-virus-software-review.toptenreviews.com;
      171.168.85.149 www.360.cn; 171.168.85.149 www.360.com;
      171.168.85.149 bbs.360safe.cn; 171.168.85.149 bbs.360safe.com;
      171.168.85.149 www.forospyware.es; 171.168.85.149 p3dev.taringa.net;
      171.168.85.149 www.precisesecurity.com;
      171.168.85.149 dlpe.antivir.com; 171.168.85.149 www.jvme.com;
      171.168.85.149 share.skype.com; 171.168.85.149 comprolive.com;
      171.168.85.149 gotoknow.org; 171.168.85.149 baike.360.cn;
      171.168.85.149 baike.360.com; 171.168.85.149 kaba.360.cn;
      171.168.85.149 kaba.360.com; 171.168.85.149 deckard.geekstogo.com;
      171.168.85.149 www.taringa.net; 171.168.85.149 forums.comodo.com;
      171.168.85.149 www.mvps.org; 171.168.85.149 melcy.wordpress.com;
      171.168.85.149 forum.softpedia.com;
      171.168.85.149 pcvids.wordpress.com; 171.168.85.149 down.360safe.cn;
      171.168.85.149 down.360safe.com; 171.168.85.149 x.360safe.com;
      171.168.85.149 dl.360safe.com; 171.168.85.149 ftp.drweb.com;
      171.168.85.149 www.hotshare.net; 171.168.85.149 es.wasalive.com;
      171.168.85.149 free.antivirus.com; 171.168.85.149 forum.hocit.com;
      171.168.85.149 destavision-forum.com;
      171.168.85.149 inspiresoft.blogspot.com;
      171.168.85.149 updatem.360safe.com; 171.168.85.149 updatem.360safe.cn;
      171.168.85.149 update.360safe.cn; 171.168.85.149 update.360safe.com;
      171.168.85.149 www.utilidades-utiles.com;
      171.168.85.149 forum.kaspersky.com;
      171.168.85.149 www.indowebster.web.id; 171.168.85.149 zastita.com;
      171.168.85.149 www.sz-pet.com; 171.168.85.149 foros.abcdatos.com;
      171.168.85.149 bbs.duba.net; 171.168.85.149 www.duba.net;
      171.168.85.149 zhidao.baidu.com; 171.168.85.149 hi.baidu.com;
      171.168.85.149 www.drweb.com.es;
      171.168.85.149 msncleaner.softonic.com;
      171.168.85.149 www.javacoolsoftware.com;
      171.168.85.149 beniono.wordpress.com;
      171.168.85.149 www.4-gsmteam.com;
      171.168.85.149 msntubers.freehostia.com;
      171.168.85.149 file.ikaka.com; 171.168.85.149 file.ikaka.cn;
      171.168.85.149 bbs.ikaka.com; 171.168.85.149 zhidao.ikaka.com;
      171.168.85.149 www.eset-la.com; 171.168.85.149 download.eset.com;
      171.168.85.149 software-files.download.com;
      171.168.85.149 www.faravirusi.com; 171.168.85.149 www.winbots.es;
      171.168.85.149 forum.chip.de; 171.168.85.149 www.thailandsusu.com;
      171.168.85.149 www.ikaka.com; 171.168.85.149 www.ikaka.cn;
      171.168.85.149 bbs.cfan.com.cn; 171.168.85.149 www.cfan.com.cn;
      171.168.85.149 www.pandasecurity.com; 171.168.85.149 es.mcafee.com;
      171.168.85.149 downloads.malwarebytes.org;
      171.168.85.149 www.devirusare.com; 171.168.85.149 forum.skype.com;
      171.168.85.149 shitit.net; 171.168.85.149 www.webimmune.net;
      171.168.85.149 bbs.kafan.cn; 171.168.85.149 bbs.kafan.com;
      171.168.85.149 bbs.kpfans.com; 171.168.85.149 bbs.taisha.org;
      171.168.85.149 www.manuelruvalcaba.com;
      171.168.85.149 support.f-secure.com; 171.168.85.149 bbs.winzheng.com;
      171.168.85.149 devirusare.com; 171.168.85.149 social.microsoft.com;
      171.168.85.149 www.shitit.net; 171.168.85.149 mx.answers.yahoo.com;
      171.168.85.149 alerta-antivirus.inteco.es;
      171.168.85.149 foros.zonavirus.com;
      171.168.85.149 alerta-antivirus.red.es;
      171.168.85.149 www.zonavirus.com; 171.168.85.149 www.malwarebytes.org;
      171.168.85.149 www.commentcamarche.net;
      171.168.85.149 news.support.veritas.com;
      171.168.85.149 www.zonealarm.com; 171.168.85.149 www.ewido.net;
      171.168.85.149 www.infospyware.com; 171.168.85.149 www.bitdefender.es;
      171.168.85.149 housecall.trendmicro.com;
      171.168.85.149 foros.toxico-pc.com; 171.168.85.149 www.identi.es;
      171.168.85.149 es.kioskea.net; 171.168.85.149 virusinfo.info;
      171.168.85.149 forums.zonealarm.com;
      171.168.85.149 foro.infiernohacker.com;
      171.168.85.149 www.emsisoft.de;
      171.168.85.149 www.securitynewsportal.com;
      171.168.85.149 irc.ekizmedia.com;
      171.168.85.149 zone.arminboutique.com;
      171.168.85.149 story.dnsentrymx.com


 Come il virus si inserisce nei processi Si inserisce come thread remoto in un processo.

    Nome del processo:
   • explorer.exe


 Dettagli del file Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con un software di compressione.

Descrizione inserita da Petre Galan su mercoledì 5 maggio 2010
Descrizione aggiornata da Petre Galan su mercoledì 5 maggio 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.