Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:Worm/Autorun.232455
Date discovered:19/02/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:232.455 Bytes
MD5 checksum:40f959ed759dabe1980e66539fa0e06c
IVDF version:7.10.04.104 - Friday, February 19, 2010

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Sophos: Troj/Nyrate-L
   •  Panda: Trj/Buzus.LJ
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Backdoor.Tofsee.Gen


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %drive%\conime.exe
   • %SYSDIR%\wcoredk.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



It deletes the initially executed copy of itself.



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

– The location is the following:
   • http://secure.ultrah0stint24.org.uk/net/**********




It tries to executes the following files:

– Filename:
   • ipconfig /flushdns


– Filename:
   • sc delete acssrv


– Filename:
   • net stop SAVService


– Filename:
   • sc stop SAVService


– Filename:
   • net1 stop SAVService


– Filename:
   • sc config SavService start= disabled


– Filename:
   • sc delete SAVService


– Filename:
   • net stop SAVAdminService


– Filename:
   • sc stop SAVAdminService


– Filename:
   • sc config SAVAdminService start= disabled


– Filename:
   • net1 stop SAVAdminService


– Filename:
   • sc delete K7TSMngr


– Filename:
   • sc delete SAVAdminService


– Filename:
   • net stop "Sophos AutoUpdate Service"


– Filename:
   • sc stop "Sophos AutoUpdate Service"


– Filename:
   • sc config "Sophos AutoUpdate Service" start= disabled


– Filename:
   • net1 stop "Sophos AutoUpdate Service"


– Filename:
   • sc delete "Sophos AutoUpdate Service"


– Filename:
   • net stop "Sophos Client Firewall"


– Filename:
   • sc stop "Sophos Client Firewall"


– Filename:
   • sc config "Sophos Client Firewall" start= disabled


– Filename:
   • net1 stop "Sophos Client Firewall"


– Filename:
   • net stop "avast! Antivirus"


– Filename:
   • sc delete "Sophos Client Firewall"


– Filename:
   • net stop "Sophos Client Firewall Manager"


– Filename:
   • sc stop "Sophos Client Firewall Manager"


– Filename:
   • net1 stop "Sophos Client Firewall Manager"


– Filename:
   • sc config "Sophos Client Firewall Manager" start= disabled


– Filename:
   • sc delete "Sophos Client Firewall Manager"


– Filename:
   • sc stop "avast! Antivirus"


– Filename:
   • sc config "avast! Antivirus" start= disabled


– Filename:
   • net1 stop "avast! Antivirus"


– Filename:
   • sc delete "avast! Antivirus"


– Filename:
   • net stop AntiVirService


– Filename:
   • sc stop AntiVirService


– Filename:
   • sc config AntiVirService start= disabled


– Filename:
   • net1 stop AntiVirService


– Filename:
   • net stop K7RTScan


– Filename:
   • sc delete AntiVirService


– Filename:
   • net stop PASRV


– Filename:
   • sc stop PASRV


– Filename:
   • net1 stop PASRV


– Filename:
   • sc config PASRV start= disabled


– Filename:
   • sc delete PASRV


– Filename:
   • net stop VSSERV


– Filename:
   • sc stop VSSERV


– Filename:
   • sc config VSSERV start= disabled


– Filename:
   • net1 stop VSSERV


– Filename:
   • sc stop K7RTScan


– Filename:
   • sc delete VSSERV


– Filename:
   • net stop avg8wd


– Filename:
   • sc stop avg8wd


– Filename:
   • net1 stop avg8wd


– Filename:
   • sc config avg8wd start= disabled


– Filename:
   • sc delete avg8wd


– Filename:
   • net stop avg9wd


– Filename:
   • sc stop avg9wd


– Filename:
   • sc config avg9wd start= disabled


– Filename:
   • net1 stop avg9wd


– Filename:
   • sc config K7RTScan start= disabled


– Filename:
   • sc delete avg9wd


– Filename:
   • net stop NOD32krn


– Filename:
   • sc stop NOD32krn


– Filename:
   • net1 stop NOD32krn


– Filename:
   • sc config NOD32krn start= disabled


– Filename:
   • sc delete NOD32krn


– Filename:
   • net stop ekrn


– Filename:
   • sc stop ekrn


– Filename:
   • net1 stop ekrn


– Filename:
   • sc config ekrn start= disabled


– Filename:
   • net1 stop K7RTScan


– Filename:
   • sc delete ekrn


– Filename:
   • net stop McShield


– Filename:
   • sc stop McShield


– Filename:
   • net1 stop McShield


– Filename:
   • sc config McShield start= disabled


– Filename:
   • sc delete McShield


– Filename:
   • net stop OutpostFirewall


– Filename:
   • sc stop OutpostFirewall


– Filename:
   • net1 stop OutpostFirewall


– Filename:
   • sc config OutpostFirewall start= disabled


– Filename:
   • sc delete K7RTScan


– Filename:
   • sc delete OutpostFirewall


– Filename:
   • net stop TmPfw


– Filename:
   • sc stop TmPfw


– Filename:
   • sc config TmPfw start= disabled


– Filename:
   • net1 stop TmPfw


– Filename:
   • sc delete TmPfw


– Filename:
   • net stop KPF4


– Filename:
   • sc stop KPF4


– Filename:
   • net1 stop KPF4


– Filename:
   • sc config KPF4 start= disabled


– Filename:
   • net stop K7TSMngr


– Filename:
   • sc delete KPF4


– Filename:
   • net stop SmcService


– Filename:
   • sc stop SmcService


– Filename:
   • sc config SmcService start= disabled


– Filename:
   • net1 stop SmcService


– Filename:
   • sc delete SmcService


– Filename:
   • net stop cmdAgent


– Filename:
   • sc stop cmdAgent


– Filename:
   • net1 stop cmdAgent


– Filename:
   • sc config cmdAgent start= disabled


– Filename:
   • sc stop K7TSMngr


– Filename:
   • sc delete cmdAgent


– Filename:
   • net stop vsmon


– Filename:
   • sc stop vsmon


– Filename:
   • sc config vsmon start= disabled


– Filename:
   • net1 stop vsmon


– Filename:
   • sc delete vsmon


– Filename:
   • net stop SbPF.Launcher


– Filename:
   • sc stop SbPF.Launcher


– Filename:
   • sc config SbPF.Launcher start= disabled


– Filename:
   • net1 stop SbPF.Launcher


– Filename:
   • sc config K7TSMngr start= disabled


– Filename:
   • sc delete SbPF.Launcher


– Filename:
   • net stop SPF4


– Filename:
   • sc stop SPF4


– Filename:
   • net1 stop SPF4


– Filename:
   • sc config SPF4 start= disabled


– Filename:
   • sc delete SPF4


– Filename:
   • net stop acssrv


– Filename:
   • sc stop acssrv


– Filename:
   • net1 stop acssrv


– Filename:
   • sc config acssrv start= disabled


– Filename:
   • net1 stop K7TSMngr

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conime.exe"="conime.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\wcoredk.exe"="%SYSDIR%\wcoredk.exe:*:Enabled:LAN Router"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\conime.exe]
   • "Debugger"="wcoredk.exe"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\wcoredk.exe"="DisableNXShowUI"

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "CheckedValue"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ns57.h0std3di4you41.**********.uk
Port: 41040
Channel: #ops
Nickname: N|USA|VN-2C|0|XP|%number%

 Hosts The host file is modified as explained:

– Access to the following domains are redirected to other destinations:
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; www.nabble.com; lurker.clamav.net;
      lexikon.ikarus.at; research.sunbelt-software.com; www.virusdoctor.jp;
      www.elitepvpers.de; guru.avg.com; downloads.sophos.com;
      share.skype.com; myantispyware.com; www.computerhilfen.de;
      www.superuser.co.kr; ntfaq.co.kr; v.dreamwiz.com; cit.kookmin.ac.kr;
      forums.whatthetech.com; forum.hijackthis.de; avg.vo.llnwd.net;
      ftp.drweb.com; www.zonealarm.com; smadaver.com; support.emsisoft.com;
      psychoski.blogspot.com; www.huaifai.go.th; www.mostz.com;
      www.krupunmai.com; www.cddchiangmai.net; forum.malekal.com;
      tech.pantip.com; sapcupgrades.com; www.elguruinformatico.com;
      forums.avg.com; zastita.com; support.kaspersky.com;
      foro.msgpluslive.es; www.247fixes.com; forum.sysinternals.com;
      forum.telecharger.01net.com; sophos.com; foros.softonic.com;
      avast-home.uptodown.com; dr-web-cureit.softonic.com; heavenward.ru;
      forum.smadav.net; www.forum.kaspersky.com; www.dl4all.com;
      www.f-secure.com; www.chkrootkit.org; diamondcs.com.au;
      www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; www.castlecrops.com;
      www.misec.net; safecomputing.umn.edu; www.antirootkit.com;
      www.greatis.com; ar.answers.yahoo.com; www.elhacker.org;
      research.pandasecurity.com; www.tpu.ro; www.pinoyden.com;
      forum.avira.de; www.tanya-it.com; www.rootkit.com; www.pctools.com;
      www.pcsupportadvisor.com; www.resplendence.com; www.personal.psu.edu;
      foro.ethek.com; foro.elhacker.net; download.zonealarm.com;
      spywarehammer.com; www.codelain.com; www.thaicert.org; vil.nail.com;
      search.mcafee.com; wwww.mcafee.com; download.nai.com;
      wwww.experts-exchange.com; www.bakunos.com; www.darkclockers.com;
      www2.gmer.net; ariefew.com; www.emsisoft.com; forum.romeonet.ro;
      www.arenajunkies.com; www.Merijn.org; www.spywareinfo.com;
      www.spybot.info; www.viruslist.com; www.hijackthis.de;
      ftp.f-secure.com; forum.kaspersky.com; es.trendmicro-europe.com;
      www.hvaonline.net; forum.lowyat.net; kb.eset.com; www.pcwelt.de;
      majorgeeks.com; www.avp.com; www.virustotal.com; www.sophos.com;
      linhadefensiva.uol.com.br; cmmings.cn; www.sergiwa.com;
      www.el-hacker.com; dl2.agnitum.com; forum.smadav.net;
      images.malwareremoval.com; front.prevx.com; www.avg-antivirus.net;
      www.kaspersky-labs.com; www.kaspersky.com; www.bleepingcomputer.com;
      www.free.grisoft.com; alerta-antivirus.inteco.es; greatis.com;
      www.oprekpc.com; www.gmer.net; forum.kasperskyclub.com;
      computadoras.migold.com; securityresponse.symantec.com;
      www.analysis.seclab.tuwien.ac.at; www.symantec.com; www.kztechs.com;
      ad-aware-se.uptodown.com; stdio-labs.blogspot.com; forum.lrytas.lt;
      www.decido.de; wap.elakiri.com; ot-indo.blogspot.com;
      liveupdate.symantecliveupdate.com; liveupdate.symantec.com;
      customer.symantec.com; update.symantec.com; www.box.net;
      foro.el-hacker.com; acs.pandasoftware.com; egavisa.blogspot.com;
      angui123.cn; beta.eset.com; www.ixtorrent.com; www.mcafee.com;
      download.mcafee.com; mast.mcafee.com; www.tecno-soft.com;
      ladooscuro.es; ftp.drweb.com; download.microsoft.com;
      www.mypcsafe.com; www.blindedbytech.com; kaspersky.com;
      sis-admin.blogspot.com; www.protecus.de; guru0.grisoft.cz;
      guru1.grisoft.cz; guru2.grisoft.cz; guru3.grisoft.cz;
      download.bleepingcomputer.com; it.answers.yahoo.com; www.softonic.com;
      www.mycity.rs; cairopt.net; rootrepeal.googlepages.com;
      www.windowexe.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; thaicert.nectec.or.th;
      hjt-data.trend-braintree.com; www.pantip.com; secubox.aldria.com;
      www.forospyware.com; www.manuelruvalcaba.com; www.zonavirus.com;
      www.leforo.com; www.gsmph.com; blokvesti.net; www.viprasys.org;
      forum.antivir-pe.de; www.siteadvisor.com; blog.threatfire.com;
      www.threatexpert.com; blog.hispasec.com; www.configurarequipos.com;
      sosvirus.changelog.fr; www.psicofxp.com; www.gsmph.net;
      www.gyakorikerdesek.hu; us.mcafee.com; www.malekal.com;
      mailcenter.rising.com.cn; mailcenter.rising.com; www.rising.com.cn;
      www.rising.com; www.babooforum.com.br; www.runscanner.net;
      www.blogschapines.com; www.zyzoom.org; www.avsoft.ru; www.elakiri.com;
      forum.telecharger.01net.com; sosvirus.changelog.fr;
      upload.changelog.fr; www.raymond.cc; changelog.fr; www.pcentraide.com;
      atazita.blogspot.com; www.thinkpad.cn; www.sunbeltsoftware.com;
      cert.inteco.es; www.gamexeon.com; nod32-antivirus.en.softonic.co;
      www.final4ever.com; files.filefont.com; www.infos-du-net.com;
      www.trendsecure.com; forum.hardware.fr; www.utilidades-utiles.com;
      blogs.icerocket.com; www.spywarefri.dk; alfrasha.maktoob.com;
      www.eset.eu; quickscan.bitdefender.com; www.spychecker.com;
      www.geekstogo.com; forums.maddoktor2.com; www.smokey-services.eu;
      www.clubic.com; www.linhadefensiva.org; www.rolandovera.com;
      forum.burek.com; secure.sophos.com; usa.kaspersky.com;
      board.softpedia.com; download.sysinternals.com; www.pcguide.com;
      www.thetechguide.com; www.ozzu.com; www.changedetection.com;
      espanol.groups.yahoo.com; www.sunbeltsecurity.com;
      www.quickheal.co.in; www.vivalared.com; thailand.itmylike.com;
      community.thaiware.com; www.avpclub.ddns.info;
      www.offensivecomputing.net; www.grisoft.com; boardreader.com;
      www.guiadohardware.net; www.webroot.com; www.thehelper.net;
      www.kaldata.com; vil.nai.com; www.malwarecrypt.com;
      www.msnvirusremoval.com; www.cisrt.org; fixmyim.com; samroeng.hi5.com;
      foro.elhacker.net; www.daboweb.com; service1.symantec.com;
      us3.download.comodo.com; forum.gsmhosting.com; www.computerforum.com;
      forum.avast.com; forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; forums.eternion-wow.com;
      downloads.andymanchesta.com; andymanchesta.com; info.prevx.com;
      aknow.prevx.com; www.zonavirus.com; securitywonks.net;
      www.yoreparo.com; www.spywarecease.com; forum.dobreprogramy.pl;
      community.mcafee.com; board.protecus.de; www.lavasoft.com;
      www.virscan.org; www.eeload.com; down.www.kingsoft.com; www.file.net;
      onecare.live.com; mvps.org; www.laneros.com; www.pc1news.com;
      forum.avira.com; downloads.novirusthanks.org; www.pinoyhackers.com;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.thaivisa.com;
      www.futurenow.bitdefender.com; www.bitdefender.com; www.f-prot.com;
      www.trendsecure.com; security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com;
      www.looktr.com; www.zone-it.com; www.avira.com; www.eset.com;
      free.avg.com; www.free-av.com; kr.ahnlab.com; www.eset.com;
      forospyware.com; thejokerx.blogspot.com; cairopt.net;
      oolbar.cyberdefender.com; golpe.dyndns.org; forum.aiutamici.com;
      www.2-spyware.com; www.antivir.es; www.prevx.com; www.ikarus.net;
      bbs.s-sos.net; www.housecall.trendmicro.com; www.superdicas.com.br;
      www.superantispyware.com; www.unhackme.com; www.askmehelpdesk.com;
      forum.zebulon.fr; www.forums.majorgeeks.com; www.castlecops.com;
      www.virusspy.com; andymanchesta.com; www.kaspersky.es;
      subs.geekstogo.com; www.forospanish.com; blog.rnsafe.com;
      www.regrun.com; irc.snahosting.net; danielorza.net;
      www.trendmicro.com; www.fortinet.com; www.safer-networking.org;
      www.fortiguardcenter.com; www.dougknox.com; www.vsantivirus.com;
      static.commentcamarche.net; www.gyakorikerdesek.hu; www.fixya.com;
      www.alabamawomen.org; www.firewallguide.com; www.auditmypc.com;
      www.spywaredb.com; www.mxttchina.com; www.ziggamza.net;
      www.forospyware.es; pogonyuto.forospanish.com; spywarefiles.prevx.com;
      k2r.th3kings.net; www.betterantivirus.com; www.antivirus.comodo.com;
      www.spywareterminator.com; www.eradicatespyware.net;
      www.freespywareremoval.info; www.personalfirewall.comodo.com;
      wakoopa.com; forum.drweb.com; bb1.th3kings.net;
      www.commentcamarche.net; www.clamav.net; www.antivirus.about.com;
      www.pandasecurity.com; www.webphand.com; mx.answers.yahoo.com;
      www.securitywonks.net; www.messengeradictos.com; www.geekpolice.net;
      bub.th3kings.net; shield.prevx.com; www.sandboxie.com;
      www.clamwin.com; www.cwsandbox.org; www.ca.com; www.arswp.com;
      es.answers.yahoo.com; www.trucoswindows.es; www.ipaddresser.com;
      www.abgenis.net; www.freefixer.com; forums.afterdawn.com;
      forum.torrents.ro; www.networkworld.com; www.cddchiangmai.net;
      www.threatexpert.com; www.norman.com; espanol.answers.yahoo.com;
      www.tallemu.com; foro.portalhacker.net; www.groupwhere.org;
      sniff.runescapetube.com; forum.p30world.com; virscan.org;
      www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; hjt.networktechs.com;
      www.techsupportforum.com; www.whatthetech.com; www.soccersuck.com;
      www.pcentraide.com; comunidad.wilkinsonpc.com.co; forum.hocit.com;
      forum.smadav.net; fgp.e2doo.com; community.thaiware.com;
      forum.piriform.com; www.tweaksforgeeks.com; www.daniweb.com;
      www.geekstogo.com; es.answers.yahoo.com; www.techsupportforum.com;
      dnl-eu8.kaspersky-labs.com; www.oprekpc.com; shv4.ath.cx;
      www.pcworld.com; in.answers.yahoo.com; www.pchell.com; www.spyany.com;
      forums.techguy.org; www.experts-exchange.com; www.wikio.es;
      www.pandasecurity.com; forums.devshed.com;
      devbuilds.kaspersky-labs.com; hana-ahmad.blogspot.com;
      www.linkmania.ro; forum.tweaks.com; www.wilderssecurity.com;
      www.techspot.com; www.thecomputerpitstop.com; es.wasalive.com;
      secunia.com; www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; www.ftw.ro; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; community.norton.com;
      www.computing.net; discussions.virtualdr.com;
      forum.securitycadets.com; www.techimo.com; 13iii.com;
      www.dicasweb.com.br; www.javacoolsoftware.net; cofradia.org;
      wasteland-bg.com; www.windowexe.com; malekal.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.worton.com; www.360safe.cn; www.360safe.com; bbs.360safe.cn;
      bbs.360safe.com; codehard.wordpress.com; forum.clubedohardware.com.br;
      antitrick.com; www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; gotoknow.org;
      www.forofantasiasmiguel.com; baike.360.cn; baike.360.com; kaba.360.cn;
      kaba.360.com; deckard.geekstogo.com; www.taringa.net;
      forums.comodo.com; www.mvps.org; melcy.wordpress.com;
      forum.softpedia.com; pcvids.wordpress.com; shop.symantecstore.com;
      down.360safe.cn; down.360safe.com; x.360safe.com; dl.360safe.com;
      ftp.drweb.com; www.hotshare.net; es.wasalive.com; free.antivirus.com;
      forum.hocit.com; destavision-forum.com; inspiresoft.blogspot.com;
      universomanualidades.foroactivo.com; updatem.360safe.com;
      updatem.360safe.cn; update.360safe.cn; update.360safe.com;
      www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com;
      foros.abcdatos.com; www.elektroda.pl; bbs.duba.net; www.duba.net;
      zhidao.baidu.com; hi.baidu.com; www.drweb.com.es;
      msncleaner.softonic.com; www.javacoolsoftware.com;
      beniono.wordpress.com; www.4-gsmteam.com; msntubers.freehostia.com;
      store.norton.com; file.ikaka.com; file.ikaka.cn; bbs.ikaka.com;
      zhidao.ikaka.com; www.eset-la.com; download.eset.com;
      software-files.download.com; www.faravirusi.com; www.winbots.es;
      forum.chip.de; www.thailandsusu.com; www.ikaka.com; www.ikaka.cn;
      bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; forum.swzone.it;
      bbs.kafan.cn; bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      mx.answers.yahoo.com; alerta-antivirus.inteco.es; foros.zonavirus.com;
      alerta-antivirus.red.es; www.zonavirus.com; www.malwarebytes.org;
      www.commentcamarche.net; news.support.veritas.com; www.zonealarm.com;
      malwarebytes-anti-malware.softonic.com; www.ewido.net;
      www.infospyware.com; www.bitdefender.es; housecall.trendmicro.com;
      foros.toxico-pc.com; www.identi.es; es.kioskea.net; virusinfo.info;
      forums.zonealarm.com; foro.infiernohacker.com; www.emsisoft.de;
      www.securitynewsportal.com; irc.ekizmedia.com; zone.arminboutique.com;
      story.dnsentrymx.com


 Process termination List of processes that are terminated:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; NTVDM.EXE; GUARD.EXE;
      LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM; REGEDIT.SCR; FOLDERCURE.EXE;
      KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE; REG.EXE; TASKKILL.EXE;
      AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE; SDFIX.EXE; CATCHME.EXE;
      GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Petre Galan su martedì 8 giugno 2010
Descrizione aggiornata da Petre Galan su martedì 8 giugno 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.