Need help? Ask the community or hire an expert.
Go to Avira Answers
??:Worm/Warezov.Q.1
????:13/12/2012
??:??
????:?
????????????
??/?????????
?? / ?????????
????:?
????:151.251 ??
MD5 ???:abbb2b9923428eb2b396ac70f1b34ad4
VDF ??:7.11.53.216 - donderdag 13 december 2012
IVDF ??:7.11.53.216 - donderdag 13 december 2012

 ???? ????:
   • ????


??:
   •  Symantec: W32.Stration.A@mm
   •  Mcafee: W32/Stration@MM
   •  TrendMicro: WORM_STRATION.AZ
   •  Sophos: W32/Stration-S
   •  VirusBuster: I-Worm.Stration.C
   •  Eset: Win32/Stration.AF
   •  Bitdefender: Win32.Warezov.Q@mm


??/????:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


???:
   • ??????????
   • ??????
   • ??????
   • ???????????
   • ????


?????????????:


 ?? ???????????:
   • %WINDIR%\tsrv.exe



??????:

– ??????????????:
   • %WINDIR%\tsrv.wax

%WINDIR%\tsrv.dll ?????????????????? ???: Worm/Warezov.Q.1

%SYSDIR%\hpzl449c14b7.exe ?????????????????? ???: Worm/Warezov.Q.1

%SYSDIR%\msji449c14b7.dll ?????????????????? ???: Worm/Stration

%SYSDIR%\cmut449c14b7.dll ?????????????????? ???: Worm/Warezov.Q




????????:

???????:
   • http://yuhadefunjinsa.com/chr/grw/**********
???????????????: %TEMPDIR%\~%??%.tmp ???????? ??????????????????

 ??? ????????????????????????:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • tsrv = %WINDIR%\tsrv.exe s



?????????:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   ??:
   • AppInit_DLLs =
   ??:
   • AppInit_DLLs = msji449c14b7.dll

 ???? ?????? SMTP ???????????? ?????????????? ?????????:


???:
???????? ???????????????????????? ??????????????????????????? ???????????????????????????? ??????????


???:
– ????????????????????
 ? WAB (Windows ???) ??????????


??????:



???: sec@%???????%
??: Mail server report.
??:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
??:
   • Update-KB%??%-x86.exe



???: secur@%???????%
??: Mail server report.
??:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
??:
   • Update-KB%??%-x86.exe



???: serv@%???????%
??: Mail server report.
??:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
??:
   • Update-KB%??%-x86.exe


??:
??????:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



??:
??????????????:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


??:
????????????:

–  ??????????:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • tex

    ??????????:
   • dat
   • elm
   • log
   • msg
   • txt

    ?????????????:
   • bat
   • cmd
   • exe
   • pif
   • scr

??????????????



??????????:



 ?? ????:
????????????????:
   • %?? *.htm ??%

 ?? ???????????????:

?????????????????

?????????:
   • download.microsoft.com
   • go.microsoft.com
   • msdn.microsoft.com
   • office.microsoft.com
   • windowsupdate.microsoft.com
   • http://www.microsoft.com/downloads/Search.aspx?displaylang=en
   • avp.ru
   • www.avp.ru
   • http://avp.ru
   • http://www.avp.ru
   • kaspersky.ru
   • www.kaspersky.ru
   • http://kaspersky.ru
   • kaspersky.com
   • www.kaspersky.com
   • http://kaspersky.com
   • kaspersky-labs.com
   • www.kaspersky-labs.com
   • http://kaspersky-labs.com
   • avp.ru/download/
   • www.avp.ru/download/
   • http://www.avp.ru/download/
   • http://www.kaspersky.ru/updates/
   • http://www.kaspersky-labs.com/updates/
   • http://kaspersky.ru/updates/
   • http://kaspersky-labs.com/updates/
   • downloads1.kaspersky-labs.com
   • downloads2.kaspersky-labs.com
   • downloads3.kaspersky-labs.com
   • downloads4.kaspersky-labs.com
   • downloads5.kaspersky-labs.com
   • http://downloads1.kaspersky-labs.com
   • http://downloads2.kaspersky-labs.com
   • http://downloads3.kaspersky-labs.com
   • http://downloads4.kaspersky-labs.com
   • http://downloads5.kaspersky-labs.com
   • downloads1.kaspersky-labs.com/products/
   • downloads2.kaspersky-labs.com/products/
   • downloads3.kaspersky-labs.com/products/
   • downloads4.kaspersky-labs.com/products/
   • downloads5.kaspersky-labs.com/products/
   • http://downloads1.kaspersky-labs.com/products/
   • http://downloads2.kaspersky-labs.com/products/
   • http://downloads3.kaspersky-labs.com/products/
   • http://downloads4.kaspersky-labs.com/products/
   • http://downloads5.kaspersky-labs.com/products/
   • downloads1.kaspersky-labs.com/updates/
   • downloads2.kaspersky-labs.com/updates/
   • downloads3.kaspersky-labs.com/updates/
   • downloads4.kaspersky-labs.com/updates/
   • downloads5.kaspersky-labs.com/updates/
   • http://downloads1.kaspersky-labs.com/updates/
   • http://downloads2.kaspersky-labs.com/updates/
   • http://downloads3.kaspersky-labs.com/updates/
   • http://downloads4.kaspersky-labs.com/updates/
   • http://downloads5.kaspersky-labs.com/updates/
   • ftp://downloads1.kaspersky-labs.com
   • ftp://downloads2.kaspersky-labs.com
   • ftp://downloads3.kaspersky-labs.com
   • ftp://downloads4.kaspersky-labs.com
   • ftp://downloads5.kaspersky-labs.com
   • ftp://downloads1.kaspersky-labs.com/products/
   • ftp://downloads2.kaspersky-labs.com/products/
   • ftp://downloads3.kaspersky-labs.com/products/
   • ftp://downloads4.kaspersky-labs.com/products/
   • ftp://downloads5.kaspersky-labs.com/products/
   • ftp://downloads1.kaspersky-labs.com/updates/
   • ftp://downloads2.kaspersky-labs.com/updates/
   • ftp://downloads3.kaspersky-labs.com/updates/
   • ftp://downloads4.kaspersky-labs.com/updates/
   • ftp://downloads5.kaspersky-labs.com/updates/
   • http://updates.kaspersky-labs.com/updates/
   • http://updates1.kaspersky-labs.com/updates/
   • http://updates2.kaspersky-labs.com/updates/
   • http://updates3.kaspersky-labs.com/updates/
   • http://updates4.kaspersky-labs.com/updates/
   • ftp://updates.kaspersky-labs.com/updates/
   • ftp://updates1.kaspersky-labs.com/updates/
   • ftp://updates2.kaspersky-labs.com/updates/
   • ftp://updates3.kaspersky-labs.com/updates/
   • ftp://updates4.kaspersky-labs.com/updates/
   • viruslist.com
   • www.viruslist.com
   • http://viruslist.com
   • viruslist.ru
   • www.viruslist.ru
   • http://viruslist.ru
   • ftp://ftp.kasperskylab.ru/updates/
   • symantec.com
   • www.symantec.com
   • http://symantec.com
   • customer.symantec.com
   • http://customer.symantec.com
   • liveupdate.symantec.com
   • http://liveupdate.symantec.com
   • liveupdate.symantecliveupdate.com
   • http://liveupdate.symantecliveupdate.com
   • securityresponse.symantec.com
   • http://securityresponse.symantec.com
   • service1.symantec.com
   • http://service1.symantec.com
   • symantec.com/updates
   • http://symantec.com/updates
   • updates.symantec.com
   • http://updates.symantec.com
   • eset.com/
   • www.eset.com/
   • http://www.eset.com/
   • eset.com/products/index.php
   • www.eset.com/products/index.php
   • http://www.eset.com/products/index.php
   • eset.com/download/index.php
   • www.eset.com/download/index.php
   • http://www.eset.com/download/index.php
   • eset.com/joomla/
   • www.eset.com/joomla/
   • http://www.eset.com/joomla/
   • u3.eset.com/
   • http://u3.eset.com/
   • u4.eset.com/
   • http://u4.eset.com/
   • www.symantec.com/updates




????hosts ???????:


 ???? ?????:
????:
   • http://yuhadefunjinsa.com/cgi-bin/**********

????????????? ????? CGI ???? HTTP POST ???????


???????????:
     ?????????
     ????????

 ?????? ???????:
???????????????????????????????

Beschrijving ingevoegd door Andrei Gherman op vrijdag 15 september 2006
Beschrijving bijgewerkt door Andrei Gherman op maandag 18 september 2006

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.