Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Nome del virus:Worm/Emerleox.K.1
Scoperto:18/05/2011
Tipo:Worm
In circolazione (ITW):Si
Numero delle infezioni segnalate:Medio-Basso
Potenziale di propagazione:Medio-Basso
Potenziale di danni:Medio-Basso
File statico:Si
Dimensione del file:76.411 Byte
Somma di controllo MD5:51dfe512c014a9113d51b7802b8d0451
Versione VDF:7.11.08.60 - mercoledì 18 maggio 2011
Versione IVDF:7.11.08.60 - mercoledì 18 maggio 2011

 Generale Metodo di propagazione:
   • Funzione di esecuzione automatica


Alias:
   •  Kaspersky: Worm.Win32.AutoRun.btp
   •  F-Secure: Worm.Win32.AutoRun.btp
   •  Bitdefender: Worm.Generic.82193
   •  GData: Worm.Generic.82193
   •  DrWeb: Win32.HLLW.Autoruner.1608


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003


Effetti secondari:
   • Duplica file “maligni”
   • Abbassa le impostazioni di sicurezza
   • Modifica del registro
   • Sfrutta la vulnerabilità del software
      •  CVE-2007-1204
      •  MS07-019

 File Si copia alle seguenti posizioni:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe
   • %unità disco%\owlstxm.exe
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe
   • %PROGRAM FILES%\meex.exe



Cancella la copia di se stesso eseguita inizialmente.



Cancella i seguenti file:
   • %SYSDIR%\verclsid.exe
   • %PROGRAM FILES%\3.hiv
   • %PROGRAM FILES%\2.hiv
   • %PROGRAM FILES%\4.hiv
   • %PROGRAM FILES%\1.hiv



Vengono creati i seguenti file:

%unità disco%\autorun.inf Questo è un file di testo “non maligno” con il seguente contenuto:
   • %codice che avvia malware%

%PROGRAM FILES%\Common Files\Microsoft Shared\ngcxjsi.inf Questo è un file di testo “non maligno” con il seguente contenuto:
   • %codice che avvia malware%

%PROGRAM FILES%\Common Files\System\ngcxjsi.inf Questo è un file di testo “non maligno” con il seguente contenuto:
   • %codice che avvia malware%

%SYSDIR%\verclsids.exe
%PROGRAM FILES%\1.hiv
%PROGRAM FILES%\3.hiv
%PROGRAM FILES%\2.hiv
%PROGRAM FILES%\4.hiv



Prova ad eseguire i seguenti file:

– Nome del file:
   • %PROGRAM FILES%\Common Files\System\qbbtqcy.exe


– Nome del file:
   • %PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe


– Nome del file:
   • cmd /c echo Y| cacls %PROGRAM FILES%\meex.exe /t /g everyone:F


– Nome del file:
   • %SYSDIR%\cmd.exe /S /D /c" echo Y"


– Nome del file:
   • cmd /c echo Y| cacls %PROGRAM FILES%\dld.dat /t /g everyone:F

 Registro I valori della seguente chiave di registro vengono rimossi:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • AVP
   • KVMON
   • ngcxjsi
   • owlstxm



Vengono aggiunte le seguenti chiavi di registro:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\irsetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQSC.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFWLiveUpdate.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmqczj.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360Safe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmsk.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVCenter.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\adam.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKCU\Software\hvnl]
   • "owlstxm"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QHSET.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMFilter.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Trojanwall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\shcfg32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IceSword.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MagicSet.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsstat.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpLive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQKav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxFwHlp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArSwp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FileDsty.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatchX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVScan.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\isPwdSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SysSafe.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rsaupd.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KMailMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\WoptiClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"=dword:0x00000001

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AST.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWatch9x.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwmain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\runiep.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rav.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\safelive.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FTCleanerShell.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavStub.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AppSvc32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP_1.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zjb.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\loaddll.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KISLnchr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SmartUp.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvastU3.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UIHost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ghost.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRegEx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVStub.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPfwSvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwcfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxCfg.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVSetup.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\USBCleaner.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   • "NoDriveTypeAutoRun"=dword:0x00000091

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvReport.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NPFMntor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\symlcsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\webscanx.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojanDetector.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvupload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ras.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KaScrScn.SCR]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\upiea.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegClean.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\iparmo.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FYFireWall.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32kui.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvDetect.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KvfwMcl.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxAttachment.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KsLoader.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKCU\Software\edwv]
   • "ngcxjsi"="%PROGRAM FILES%\Common Files\System\qbbtqcy.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRepair.com]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UmxPol.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SREng.EXE]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\QQDoctor.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AgentSvr.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMon.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kabaload.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rfwsrv.exe]
   • "Debugger"="%PROGRAM FILES%\Common Files\Microsoft Shared\hasybbc.exe"



Vengono cambiate le seguenti chiavi di registro:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Nuovo valore:
   • "Type"="checkbox2"

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   Nuovo valore:
   • "Start"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Nuovo valore:
   • "ShowSuperHidden"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Nuovo valore:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Nuovo valore:
   • "Type"="radio"

 Varie Accede alle risorse Internet:
   • http://union.is123.com/**********
   • http://www.is123.com/admin/**********


Mutex:
Crea i seguenti Mutex:
   • ]TMU%50>IA?4>6?
   • Y*J-ONE
   • Y*J-TWO

 Dettagli del file Linguaggio di programmazione:
Il malware è stato scritto in Delphi.


Software di compressione:
Per complicarne l'individuazione e ridurre la dimensione del file, viene compresso con un software di compressione.

Descrizione inserita da Petre Galan su giovedì 16 giugno 2011
Descrizione aggiornata da Petre Galan su giovedì 16 giugno 2011

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.