PCの修理が必要ですか?
専門家に頼む
Virus:Worm/AutoIt.X
Date discovered:10/04/2008
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:617.473 Bytes
MD5 checksum:3adfe5101e736d996b27b5d547909477
IVDF version:7.00.03.144 - Thursday, April 10, 2008

 General  Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.g virus
   •  Sophos: Mal/Inet-Fam
   •  Panda: W32/Sohanat.HC.worm
   •  Eset: Win32/Autoit.DB
   •  Bitdefender: Rootkit.19206


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\regsvr.exe
   • %SYSDIR%\svchost .exe
   • %SYSDIR%\regsvr.exe
   • %drive%\regsvr.exe



The following files are created:

%SYSDIR%\setup.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\28463\svchost.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Ardamax.J

%WINDIR%\Tasks\At1.job
%SYSDIR%\28463\svchost.001



It tries to download some files:

The location is the following:
   • http://yahoo.com/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://yahoo.com/**********
At the time of writing this file was not online for further investigation.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Msn Messsenger"="%SYSDIR%\regsvr.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "svchost Agent"="%SYSDIR%\28463\svchost.exe"



The following registry key is added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000000



The following registry keys are changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Connections]
   New value:
   • "DefaultConnectionSettings"=hex:46,00,00,00,05,00,00,00,09,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,80,3C,88,A9,3F,74,CA,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,C0,A8,6B,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe regsvr.exe"

[HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   New value:
   • "AtTaskMaxHours"=dword:0x00000000
   • "NextAtJobId"=dword:0x00000002

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NofolderOptions"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "GlobalUserOffline"=dword:0x00000000

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Petre Galan の 2009年12月3日木曜日
説明の更新者 Petre Galan の 2009年12月3日木曜日

戻る . . . .
https:// このウィンドウは暗号化されています。