Need help? Ask the community or hire an expert.
Go to Avira Answers
??:TR/Spy.ZBot.RS.1
????:13/12/2012
??:?????
????:?
????????????????
??/????????
?? / ????????????
????:?
????:192.512 ??
MD5 ???:948ba9e36338cfd2a789b8a49094fefb
VDF ??:7.11.53.216 - 2012년 12월 13일 목요일
IVDF ??:7.11.53.216 - 2012년 12월 13일 목요일

 ???? ??:
   •  Kaspersky: Trojan-Spy.Win32.SpyEyes.hry
   •  Bitdefender: Trojan.Generic.KD.230624
     GData: Trojan.Generic.KD.230624
     DrWeb: Trojan.DownLoader3.1932


??/????:
   • Windows 2000
   • Windows XP
   • Windows 2003


???:
   • ??????
   • ?????
   • ????

 ?? ???????????:
   • C:\svchostxxx.exe\svchostxxx.exe



???????????????



??????:

C:\svchostxxx.exe\config.bin



??????????:

???:
   • C:\svchostxxx.exe\svchostxxx.exe

 ??? ????????????????????????:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "svchostxxx.exe"="C:\svchostxxx.exe\svchostxxx.exe"



?????????????:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • AutoConfigURL
   • ProxyOverride
   • ProxyServer



?????????????:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • "WarnOnIntranet"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   • "1409"=dword:0x00000003



?????????:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   ??:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   ??:
   • "1406"=dword:0x00000000
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   ??:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\4]
   ??:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\1]
   ??:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\2]
   ??:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\3]
   ??:
   • "1406"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   ??:
   • "EnableHttp1_1"=dword:0x00000000
   • "MigrateProxy"=dword:0x00000001
   • "ProxyEnable"=dword:0x00000000
   • "ProxyHttp1.1"=dword:0x00000000
   • "WarnOnPost"=hex:00,00,00,00
   • "WarnOnPostRedirect"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   ??:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   ??:
   • "1406"=dword:0x00000000
   • "1409"=dword:0x00000003
   • "1609"=dword:0x00000000

 ???? ?????:
????:
   • http://cnc0098510m.cz.cc/mmmmmmaaaaaa/**********?guid=%???%&ver=%??%&stat=%???%&ie=%???%&os=%???%&ut=%???%&cpu=%??%&ccrc=%???%&md5=%???%


 ?? ??????????:
 ??????????????

?????????:
   • Mozilla Firefox
   • Internet Explorer

 ???? ???????????????????

    ???:
   • explorer.exe



???????????????????

???????????


 ??  ??????????? Internet ??:
   • http://www.microsoft.com/


Mutex:
?????? Mutex:
   • __svxxxx__
   • __SPYNET_REPALREADYSENDED__

 ?????? ????:
????????? MS Visual C++ ????


???????:
???????????????????????????????

설명 삽입자 Petre Galan   2011년 7월 12일 화요일
설명 업데이트 Petre Galan   2011년 7월 12일 화요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.