Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:W32/Agent.DP
Scoperto:20/11/2009
Tipo:Trojan
In circolazione (ITW):Si
Numero delle infezioni segnalate:Medio-Basso
Potenziale di propagazione:Medio-Basso
Potenziale di danni:Medio
File statico:Si
Dimensione del file:26.112 Byte
Somma di controllo MD5:13aec81e42625335dbbe845426f2db2a
Versione IVDF:7.10.01.37 - venerdì 20 novembre 2009

 Generale Metodo di propagazione:
   • Funzione di esecuzione automatica


Alias:
   •  Mcafee: W32/Autorun.worm.c virus
   •  Sophos: W32/FuzVir-A
   •  Panda: W32/Autorun.JLX.worm
   •  Eset: Win32/AutoRun.AntiAV.P
   •  Bitdefender: Trojan.Generic.3041547


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003


Effetti secondari:
   • Scarica un file “maligno”
   • Duplica file “maligni”
   • Modifica del registro

 File Si copia alle seguenti posizioni:
   • %unità disco%\recycle\{645FF040-5081-101B-9F08-00AA002F954E}\Ghost.exe
   • %SYSDIR%\dllcache\lsasvc.dll



Sovrascrive i seguenti file.
%SYSDIR%\qmgr.dll
%SYSDIR%\drivers\etc\hosts



Cancella la copia di se stesso eseguita inizialmente.



Cancella i seguenti file:
   • %TEMPDIR%\NtHid.sys
   • %TEMPDIR%\Loopt.bat



Vengono creati i seguenti file:

%unità disco%\autorun.inf Questo è un file di testo “non maligno” con il seguente contenuto:
   •

%TEMPDIR%\NtHid.sys Ulteriori analisi hanno accertato che questo file è anch'esso un malware. Riconosciuto come: Rkit/Agent.xsa

%TEMPDIR%\Loopt.bat Viene eseguito ulteriormente dopo che è stato completamente creato. Questo file automatico è utilizzato per cancellare un file.



Prova a scaricare un file:

– La posizione è la seguente:
   • http://nbtj.114anhui.com/msn/**********




Prova ad eseguire i seguenti file:

– Nome del file:
   • cmd /c ""%TEMPDIR%\Loopt.bat" "


– Nome del file:
   • "%PROGRAM FILES%\Internet Explorer\iexplore.exe" http://nbtj.114anhui.com/msn/163.htm

 Registro I valori della seguente chiave di registro vengono rimossi:

–  [HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
   • 0048F8D37B153F6EA2798C323EF4F318A5624A9E
   • 00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
   • 0483ED3399AC3608058722EDBC5E4600E3BEF9D7
   • 049811056AFE9FD0F5BE01685AACE6A5D1C4454C
   • 0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
   • 1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
   • 1F55E8839BAC30728BE7108EDE7B0BB0D3298224
   • 209900B63D955728140CD13622D8C687A4EB0085
   • 216B2A29E62A00CE820146D8244141B92511B279
   • 23E594945195F2414803B4D564D2A3A3F5D88B8C
   • 24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
   • 24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
   • 273EE12457FDC4F90C55E82B56167F62F532E547
   • 284F55C41A1A7A3F8328D4C262FB376ED6096F24
   • 2F173F7DE99667AFA57AF80AA2D1B12FAC830338
   • 317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
   • 36863563FD5128C7BEA6F005CFE9B43668086CCE
   • 394FF6850B06BE52E51856CC10E180E882B385CC
   • 3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
   • 4072BA31FEC351438480F62E6CB95508461EAB2F
   • 40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
   • 43DDB1FFF3B49B73831407F6BC8B975023D07C50
   • 43F9B110D5BAFD48225231B0D0082B372FEF9A54
   • 4463C531D7CCC1006794612BB656D3BF8257846F
   • 47AFB915CDA26D82467B97FA42914468726138DD
   • 4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
   • 4BA7B9DDD68788E12FF852E1A024204BF286A8F6
   • 4C95A9902ABE0777CED18D6ACCC3372D2748381E
   • 4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
   • 4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
   • 4F65566336DB6598581D584A596C87934D5F2AB4
   • 54F9C163759F19045121A319F64C2D0555B7E073
   • 58119F0E128287EA50FDD987456F4F78DCFAD6D4
   • 5B4E0EC28EBD8292A51782241281AD9FEEDD4E4C
   • 5D989CDB159611365165641B560FDBEA2AC23EF1
   • 5E5A168867BFFF00987D0B1DC2AB466C4264F956
   • 5E997CA5945AAB75FFD14804A974BF2AE1DFE7E1
   • 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
   • 6372C49DA9FFF051B8B5C7D4E5AAE30384024B9C
   • 6782AAE0EDEEE21A5839D3C0CD14680A4F60142A
   • 67EB337B684CEB0EC2B0760AB488278CDD9597DD
   • 687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44
   • 688B6EB807E8EDA5C7B17C4393D0795F0FAE155F
   • 68ED18B309CD5291C0D3357C1D1141BF883866B1
   • 69BD8CF49CD300FB592E1793CA556AF3ECAA35FB
   • 6A174570A916FBE84453EED3D070A1D8DA442829
   • 720FC15DDC27D456D098FABF3CDD78D31EF5A8DA
   • 74207441729CDD92EC7931D823108DC28192E2BB
   • 742C3192E607E424EB4549542BE1BBC53E6174E2
   • 7639C71847E151B5C7EA01C758FBF12ABA298F7A
   • 78E9DD0650624DB9CB36B50767F209B843BE15B3
   • 7A74410FB0CD5C972A364B71BF031D88A6510E9E
   • 7AC5FFF8DCBC5583176877073BF751735E9BD358
   • 7CA04FD8064C1CAA32A37AA94375038E8DF8DDC0
   • 7E784A101C8265CC2DE1F16D47B440CAD90A1945
   • 81968B3AEF1CDC70F5FA3269C292A3635BD123D3
   • 838E30F77FDD14AA385ED145009C0E2236494FAA
   • 85371CA6E550143DCE2803471BDE3A09E8F8770F
   • 85A408C09C193E5D51587DCDD61330FD8CDE37BF
   • 879F4BEE05DF98583BE360D633E70D3FFE9871AF
   • 8EB03FC3CF7BB292866268B751223DB5103405CB
   • 9078C5A28F9A4325C2A7C73813CDFE13C20F934E
   • 90AEA26985FF14804C434952ECE9608477AF556F
   • 90DEDE9E4C4E9F6FD88617579DD391BC65A68964
   • 96974CD6B663A7184526B1D648AD815CF51E801A
   • 97817950D81C9670CC34D809CF794431367EF474
   • 97E2E99636A547554F838FBA38B82E74F89A830A
   • 99A69BE61AFE886B4D2B82007CB854FC317E1539
   • 9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7
   • 9E6CEB179185A29EC6060CA53E1974AF94AF59D4
   • 9FC796E8F8524F863AE1496D381242105F1B78F5
   • A399F76F0CBF4C9DA55E4AC24E8960984B2905B6
   • A3E31E20B2E46A328520472D0CDE9523E7260C6D
   • A5EC73D48C34FCBEF1005AEB85843524BBFAB727
   • AB48F333DB04ABB9C072DA5B0CC1D057F0369B46
   • ACED5F6553FD25CE015F1F7A483B6A749F6178C6
   • B172B1A56D95F91FE50287E14D37EA6A4463768A
   • B19DD096DCD4E3E0FD676885505A672C438D4E9C
   • B3EAC44776C9C81CEAF29D95B6CCA0081B67EC9D
   • B5D303BF8682E152919D83F184ED05F1DCE5370C
   • B6AF5BE5F878A00114C3D7FEF8C775C34CCD17B6
   • B72FFF92D2CE43DE0A8D4C548C503726A81E2B93
   • BC9219DDC98E14BF1A781F6E280B04C27F902712



Vengono aggiunte le seguenti chiavi di registro:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\krnl360svc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC2.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UfSeAgnt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MpfSrv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TMBMSRV.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360hotfix.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TmProxy.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msksrver.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcagent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avmailc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPMon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kmailmon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kswebshield.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rsnetsvr.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ScanFrm.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avwebgrd.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcsysmon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsTray.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kwatch.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\seccenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC1.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfCtlCom.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safe.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kissvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360speedld.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McSACore.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\egui.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\sched.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360SoftMgrSvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcshield.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kpfwsvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safebox.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\qutmserv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\livesrv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kpfw32.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcvsshld.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcmscsvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McProxy.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McNASvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ast.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcods.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavstart.exe]
   • "Debugger"="ntsd -"



Vengono cambiate le seguenti chiavi di registro:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   Nuovo valore:
   • "ParseAutoexec"="1"

– [HKLM\SYSTEM\CurrentControlSet\Services\BITS]
   Nuovo valore:
   • "Start"=dword:0x00000002

 Host L'host del file viene modificato come spiegato:

– In questo caso i dati immessi già esistenti vengono cancellati.

 Come il virus si inserisce nei processi –  Inserisce il seguente file in un processo: %SYSDIR%\qmgr.dll

    Nome del processo:
   • svchost.exe


 Dettagli del file Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con un software di compressione.

Descrizione inserita da Petre Galan su martedì 22 giugno 2010
Descrizione aggiornata da Petre Galan su giovedì 24 giugno 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.