Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:15/11/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:56.832 Bytes
MD5 checksum:400ab8f23844227443cc309c472844dd
VDF version:
IVDF version: - Monday, November 15, 2010

 General Method of propagation:

   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Backdoor.Win32.IRCBot.rbe
   •  TrendMicro: WORM_SLENFBOT.DA
   •  F-Secure: Backdoor.Bot.131406
   •  Sophos: Mal/PushBot-A
   •  Bitdefender: Backdoor.Bot.131406

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\nvsvc32.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

The following registry keys are added:

[HKCU\Software\Microsoft\Internet Explorer\Main]
   • "Start Page"="http://googleure.com"

   • "%malware execution directory%\%executed file%"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

   • "%malware execution directory%\%executed file%"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

The following registry key is changed:

   Old value:
   • "Start"=dword:00000002
   New value:
   • "Start"=dword:00000004

 Messenger It is spreading via Messenger. The characteristics are described below:

 Yahoo Messenger

The sent message looks like one of the following:

   • You have only 3 minutes to fill out the selected survey
or you will not have access to your account.
     You have only 3 minutes to fill out the selected survey
or you will be banned from this site.

 IRC  Furthermore it has the ability to perform actions such as:
    • Join IRC channel
    • Leave IRC channel

 Stealing  A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • myspace.com
   • facebook.com

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • albertoshistory.info; ale.pakibili.com; astro.ic.ac.uk;
      ate.lacoctelera.net; beta.neogen.ro; browseusers.myspace.com;
      crl.microsoft.com; deirdremccloskey.org; ds.phoenix-cc.net;
      epp.gunmablog.jp; erdbeerlounge.de; goodreads.com; heidegger.x-y.net;
      hrm.uh.edu; insidehighered.com; jb.asm.org; journalofaccountancy.com;
      journals.lww.com; mas.0730ip.com; mas.ahlamontada.com;
      mas.archivum.info; mas.josbank.com; mas.juegosbakugan.net;
      mas.mtime.com; mas.tguia.cl; mas.univie.ac.at; mcsp.lvengine.com;
      middleastpost.org; mix.price-erotske.in.rs; mix.thenaturistclub.com;
      mmm.bolbalatrust.org; old.longjuyt2tugas.com; old.youku.com;
      ols.systemofadown.com; ope.oaklandathletics.com; opl.munin.irf.se;
      pra.aps.org; pru.landmines.org; qun.51.com; refugee-action.org.uk;
      screenservice.com; scribbidyscrubs.com; shopstyle.com;
      southampton.ac.uk; stayontime.info; summer-uni-sw.eesp.ch;
      transnationale.org; tripadvisor.com; uks.linkedin.com; unclefed.com;
      versatek.com; websitetrafficspy.com; www.myspace.com;
      www.shearman.com; x.myspacecdn.com; xxx.jagdcom.de; xxx.stopklatka.pl

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Andrei Ilie su mercoledì 23 marzo 2011
Descrizione aggiornata da Andrei Ilie su venerdì 1 aprile 2011

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.