PCの修理が必要ですか?
専門家に頼む
????BDS/Mirc-based.K.5
????23/12/2008
?????????????
????????
???????
?????????
??????????????
?????????????
????????782.336 ???
MD5???????375306f0f224df1542b0343d5756b8a5
IVDF???????7.01.01.27 - 2008年12月23日火曜日

 ???? ????
    Infects files (jp)


??
   •  McAfee(?????) W32/Virut.gen
   •  Sophos(????) W32/Vetor-A
   •  Panda W32/Virutas.gen
   •  Eset Win32/Virut.Q
   •  ??????????(Bitdefender)? IRC-Worm.Generic.4269


????????/OS?
   • ?????? 2000
   • ?????? XP
   • ?????? 2003


???
   • ?????????????
Infects files (jp)
   • ????????????????
   • ?????????
   • ???????????????

 ???? ???????????????

%PROGRAM FILES%\mIRC\IRC Bot\control.ini
%PROGRAM FILES%\mIRC\IRC Bot\remote.ini
%PROGRAM FILES%\mIRC\IRC Bot\svchost.exe
%PROGRAM FILES%\mIRC\IRC Bot\Anjing_Malingsia.sys
%PROGRAM FILES%\mIRC\IRC Bot\Stupid.sys
%PROGRAM FILES%\Microsoft Office
%PROGRAM FILES%\mIRC\IRC Bot\fuck.sys
%PROGRAM FILES%\mIRC\IRC Bot\kontol.mrc
%PROGRAM FILES%\mIRC\IRC Bot\perampok_budaya.sys
%PROGRAM FILES%\mIRC\IRC Bot\Nama_Anjing.sys
%PROGRAM FILES%\mIRC\IRC Bot\Channel_Babi.sys
%PROGRAM FILES%\mIRC\IRC Bot\Nama_Babi.sys
%PROGRAM FILES%\mIRC\IRC Bot\Asshole.sys

 ????? ???????????????????????????????????

  [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe, %PROGRAM FILES%\Microsoft Office\WINWORD.EXE"



???????????????????

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Acha.exe]
   • "Debugger"="cmd.exe /c del"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\wscript.exe]
   • "Debugger"="rundll32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AmyMastura.exe]
   • "Debugger"="cmd.exe /c del"

[HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001
   • "FirstRunDisabled"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\registry.exe]
   • "Debugger"="cmd.exe /c del"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\csrsz.exe]
   • "Debugger"="cmd.exe /c del"



???????????????????

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   ????
   • "EnableLUA"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   ????
   • "ShowSuperHidden"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000

[HKLM\SOFTWARE\Classes\exefile]
   ????
   • "NeverShowExt"=""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   ????
   • "CheckedValue"=dword:0x00000000
   • "DefaultValue"=dword:0x00000000
   • "UncheckedValue"=dword:0x00000000

[HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   ????
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   ????
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   ????
   • "load"=""

[HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   ????
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

[HKLM\SYSTEM\CurrentControlSet\Services\WinDefend]
   ????
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

 ?????? Infector type: (jp)

Appender (jp)
 Infector modifies last section (jp)


Self Modification (jp)

Infector polymorphic (jp)


?????

?????????????????????????????????

??????????????????????????????????????


Infection Length (jp)

- 11.264 ???


The following file is infected (S) (jp)

By file type (jp)
   • .exe

 IRC ?????????????????????????????????IRC??????????

??? proxim.irc**********.pl
???? 80
????? &virtu
?????? %????????%

??? srv201.cy**********.name
???? 80
????? &virtu
?????? %????????%

??? 60.190.2**********.1**********
???? 80
????? &virtu
?????? %????????%

 ??(Injection) – ??????????????????

    ??????????????
   • winlogon.exe



– ??????????????????????

    ??????????????
   • %????????????%


 ?????????????(Rootkit Technology)  ???API???????????????:
   • NtCreateFile
   • NtOpenFile
   • NtCreateProcess
   • NtCreateProcessEx

説明の挿入者 Petre Galan の 2010年3月22日月曜日
説明の更新者 Petre Galan の 2010年3月24日水曜日

戻る . . . .
https:// このウィンドウは暗号化されています。