Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:TR/Devis.45056.22
Scoperto:13/08/2010
Tipo:Trojan
In circolazione (ITW):Si
Numero delle infezioni segnalate:Medio-Basso
Potenziale di propagazione:Basso
Potenziale di danni:Medio
File statico:Si
Dimensione del file:45056 Byte
Somma di controllo MD5:fa8d63f8aebc11a357433c556df5cfc4
Versione VDF:7.10.04.147
Versione IVDF:7.10.10.182 - venerdì 13 agosto 2010

 Generale Metodo di propagazione:
   • Nessuna propria procedura di propagazione


Alias:
   •  Kaspersky: Trojan.Win32.Pincav.aequ
   •  TrendMicro: TROJ_AGENT.ZJA
   •  F-Secure: Trojan.Win32.Pincav.aequ
   •  Sophos: Mal/Rimecud-E
   •  Bitdefender: Rootkit.38546
   •  Eset: Win32/Injector.CSV


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003


Effetti secondari:
   • Accesso e controllo del computer da parte di terzi
    Si pu utilizzare per modificare le impostazioni del sistema che autorizzano o ingigantiscono il comportamento di potenziali malware.
   • Modifica del registro

 File Si copia alla seguente posizione:
   • %SYSDIR%\sysdevop.exe



Cancella la copia di se stesso eseguita inizialmente.

 Registro Viene aggiunta nel registro la seguente chiave con lo scopo di eseguire il processo dopo il riavvio:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "System Development Operations"="%SYSDIR%\sysdevop.exe"



Le seguenti chiavi di registro che includono tutti i valori e le sottochiavi, vengono rimosse:
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vds]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sharedaccess]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\Tcpip]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDI]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\UploadMgr]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sys]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmt]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
   • [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]



Viene aggiunta la seguente chiave di registro:

[HKCU\Software\Microsoft\Windows\CurrentVersion\App]
   • "new"="yes"

 IRC Per inviare informazioni sul sistema e per fornire il controllo remoto, si connette al seguente server IRC:

Server: r0x.fucklamerz.ru
Porta: 3030
Canale: #rox
Nickname: n{USA|XP}gurguda


 In pi ha la capacit di effettuare azioni quali:
     connettere al server IRC
    • Connettersi al canale IRC

 Come il virus si inserisce nei processi Si inserisce come thread remoto in un processo.

    Nome del processo:
   • explorer.exe


 Dettagli del file Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con un software di compressione.

Descrizione inserita da Ana Maria Niculescu su venerdì 1 ottobre 2010
Descrizione aggiornata da Ana Maria Niculescu su venerdì 8 ottobre 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.