Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:WORM/Koobface.J
Scoperto:21/10/2010
Tipo:Worm
In circolazione (ITW):Si
Numero delle infezioni segnalate:Basso
Potenziale di propagazione:Basso
Potenziale di danni:Medio-Basso
File statico:Si
Dimensione del file:331.776 Byte
Somma di controllo MD5:77be30318b2cdcb8c9708ba1ef04f5c0
Versione VDF:7.10.05.230
Versione IVDF:7.10.13.15 - giovedì 21 ottobre 2010

 Generale Metodo di propagazione:
   • Nessuna propria procedura di propagazione


Alias:
   •  Kaspersky: Net-Worm.Win32.Koobface.hdz
   •  F-Secure: Net-Worm.Win32.Koobface.hdz
   •  Microsoft: Trojan:Win32/Koobface
   •  Eset: Win32/Koobface.NDI


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows Vista
   • Windows 7


Effetti secondari:
   • Disattiva le applicazioni di sicurezza
   • Scarica un file “maligno”
   • Modifica del registro

 File Si copia alla seguente posizione:
   • %WINDIR%\andy138.exe



Vengono creati i seguenti file:

– File “non maligni”:
   • %WINDIR%\fdgg34353edfgdfdf
   • %WINDIR%\bk23567.dat

– C:\3.reg Riconosciuto come: TR/REG.Koobface.89

 Registro Viene aggiunta nel registro la seguente chiave con lo scopo di eseguire il processo dopo il riavvio:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "xuri49tkd"="%WINDIR%\andy138.exe"



I valori della seguente chiave di registro vengono rimossi:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "syspptray"=-
   • "sysfbtray"=-



Vengono aggiunte le seguenti chiavi di registro:

– [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   • "DisableAntiSpyware"=dword:00000001

– [HKCR\Mime\Database\Content Type\application/xhtml+xml]
   • "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
   • "Extension"=".xml"
   • "Encoding"=hex:08,00,00,00

 Backdoor Contatta il server:
Tutti i seguenti:
   • 195.28.**********?action=fbgen&v=136&crc=669
   • 76.12.**********?action=fbgen&v=136&crc=669
   • 782cockta**********?action=fbgen&v=136&crc=669
   • 99**********?action=fbgen&v=136&crc=669
   • alimt**********?action=fbgen&v=136&crc=669
   • bigcoun**********?action=fbgen&v=136&crc=669
   • bizz**********?action=fbgen&v=136&crc=669
   • bmt**********?action=fbgen&v=136&crc=669
   • boxer**********?action=fbgen&v=136&crc=669
   • braitm**********?action=fbgen&v=136&crc=669
   • cedele**********?action=fbgen&v=136&crc=669
   • cfscons**********?action=fbgen&v=136&crc=669
   • christm**********?action=fbgen&v=136&crc=669
   • clarksh**********?action=fbgen&v=136&crc=669
   • counter.xtsd20**********?action=fbgen&v=136&crc=669
   • dancin**********?action=fbgen&v=136&crc=669
   • dip-a-d**********?action=fbgen&v=136&crc=669
   • djmu**********?action=fbgen&v=136&crc=669
   • draco-il**********?action=fbgen&v=136&crc=669
   • dreamch**********?action=fbgen&v=136&crc=669
   • ebesu**********?action=fbgen&v=136&crc=669
   • elect**********?action=fbgen&v=136&crc=669
   • emse**********?action=fbgen&v=136&crc=669
   • entertainme**********?action=fbgen&v=136&crc=669
   • eurobaustoff.marke**********?action=fbgen&v=136&crc=669
   • foods**********?action=fbgen&v=136&crc=669
   • frankne**********?action=fbgen&v=136&crc=669
   • godsho**********?action=fbgen&v=136&crc=669
   • gross**********?action=fbgen&v=136&crc=669
   • grupoc**********?action=fbgen&v=136&crc=669
   • hills**********?action=fbgen&v=136&crc=669
   • igles**********?action=fbgen&v=136&crc=669
   • indiana**********?action=fbgen&v=136&crc=669
   • infor**********?action=fbgen&v=136&crc=669
   • jugen**********?action=fbgen&v=136&crc=669
   • kerten**********?action=fbgen&v=136&crc=669
   • ledtlon**********?action=fbgen&v=136&crc=669
   • lene.aa**********?action=fbgen&v=136&crc=669
   • lifec**********?action=fbgen&v=136&crc=669
   • losek**********?action=fbgen&v=136&crc=669
   • mahjo**********?action=fbgen&v=136&crc=669
   • marios**********?action=fbgen&v=136&crc=669
   • mgmmdi**********?action=fbgen&v=136&crc=669
   • mswcon**********?action=fbgen&v=136&crc=669
   • my3boys.hittin**********?action=fbgen&v=136&crc=669
   • ottoma**********?action=fbgen&v=136&crc=669
   • pngse**********?action=fbgen&v=136&crc=669
   • polis**********?action=fbgen&v=136&crc=669
   • prostr**********?action=fbgen&v=136&crc=669
   • pvpont**********?action=fbgen&v=136&crc=669
   • raur**********?action=fbgen&v=136&crc=669
   • rdsch**********?action=fbgen&v=136&crc=669
   • rememberwhenohio.netf**********?action=fbgen&v=136&crc=669
   • renog**********?action=fbgen&v=136&crc=669
   • rentsa**********?action=fbgen&v=136&crc=669
   • s172760532.onl**********?action=fbgen&v=136&crc=669
   • s220405294.onlin**********?action=fbgen&v=136&crc=669
   • scambus**********?action=fbgen&v=136&crc=669
   • shann**********?action=fbgen&v=136&crc=669
   • silkroa**********?action=fbgen&v=136&crc=669
   • stellar**********?action=fbgen&v=136&crc=669
   • swimandscuba.netf**********?action=fbgen&v=136&crc=669
   • thecon**********?action=fbgen&v=136&crc=669
   • tommie**********?action=fbgen&v=136&crc=669
   • usedca**********?action=fbgen&v=136&crc=669
   • webster**********?action=fbgen&v=136&crc=669
   • welov**********?action=fbgen&v=136&crc=669
   • www.agap**********?action=fbgen&v=136&crc=669
   • www.aic**********?action=fbgen&v=136&crc=669
   • www.associaz**********?action=fbgen&v=136&crc=669
   • www.bastak**********?action=fbgen&v=136&crc=669
   • www.beauti**********?action=fbgen&v=136&crc=669
   • www.cayge**********?action=fbgen&v=136&crc=669
   • www.cheryl**********?action=fbgen&v=136&crc=669
   • www.edilt**********?action=fbgen&v=136&crc=669
   • www.heran**********?action=fbgen&v=136&crc=669
   • www.ilterrazzo**********?action=fbgen&v=136&crc=669
   • www.its-**********?action=fbgen&v=136&crc=669
   • www.limen**********?action=fbgen&v=136&crc=669
   • www.musi**********?action=fbgen&v=136&crc=669
   • www.oneonon**********?action=fbgen&v=136&crc=669
   • www.ricksmusi**********?action=fbgen&v=136&crc=669
   • www.sevenpi**********?action=fbgen&v=136&crc=669
   • www.suzann**********?action=fbgen&v=136&crc=669
   • www.tcab**********?action=fbgen&v=136&crc=669
   • www.vinfinit**********?action=fbgen&v=136&crc=669
   • xrysan**********?action=fbgen&v=136&crc=669
   • yanisl**********?action=fbgen&v=136&crc=669
   • yasary**********?action=fbgen&v=136&crc=669

Questo è fatto tramite il metodo HTTP POST utilizzando uno script PHP.


Capacità di controllo remoto:
    • Download di file

 Varie  Verifica la presenza di una connessione ad internet contattando il seguente sito web:
   • www.google.com

Descrizione inserita da Mihai Dilimot su venerdì 1 aprile 2011
Descrizione aggiornata da Mihai Dilimot su venerdì 1 aprile 2011

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.