Date discovered:11/11/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:53.248 Bytes
MD5 checksum:1C886EABF2D5A89329CA4529DFA6BB21
VDF version:
IVDF version: - Thursday, November 11, 2010

 General Method of propagation:
    Autorun feature

   •  Mcafee: W32/IRCbot.worm
   •  Kaspersky: Trojan.Win32.Jorik.Lolbot.ip
   •  TrendMicro: WORM_SPYBOT.CEA
   •  F-Secure: Trojan.VB.Agent.HR
   •  Bitdefender: Trojan.VB.Agent.HR

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %APPDATA%\winlogon.exe
   • %drive%\driver\info\explorer.exe

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

The following registry key is added:

   • "Microsoft TrustGuard"="%APPDATA%\winlogon.exe"

 IRC  Furthermore it has the ability to perform actions such as:
     connect to IRC server
     disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel

 Hosts The host file is modified as explained:

Access to the following domains is effectively blocked:
   • avp.com
   • ca.com
   • dispatch.mcafee.com
   • etrust
   • jotti
   • kaspersky.com
   • liveupdate.symantecliveupdate.
   • mcafee.com
   • my-etrust.com
   • nai.com
   • nod32.com
   • norton
   • rads.mcafee.com
   • secure.nai.com
   • sophos.com
   • symantecliveupdate.com
   • trendmicro.com
   • updates.symantec.com
   • viruslist.com
   • te [virustotal.com
   • virusscan.jotti.org
   • us.mcafee.com
   • threatexpert
   • symantec.com
   • securityresponse.
   • pandasoftware
   • networkassociates
   • mast.mcafee.com
   • liveupdate.symantec.com
   • kaspersky-labs.com
   • grisoft
   • f-secure
   • download.mcafee.com
   • bitdefender.com
   • nai.

 Process termination Processes with one of the following strings are terminated:
   • AntiVirus; ashWebSv; avgnt; avp.exe; bitdef; kaspersky; mcafee;
      mcshield; NOD32; symantec; viruslist; trendmicro; guard.exe; avgw.exe;
      avguard; ashDisp

 Miscellaneous Anti debugging
It checks for running programs that contain one of the following strings:
   • sandbox
   • nepenthes
   • wireshark
   • vmware

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

説明の挿入者 Andrei Ilie の 2011年3月18日金曜日
説明の更新者 Andrei Ilie の 2011年3月22日火曜日

戻る . . . .
https:// このウィンドウは暗号化されています。