Need help? Ask the community or hire an expert.
Go to Avira Answers
??:Worm/Rontok.D
????:13/12/2012
??:??
????:?
????????????????
??/????????????
?? / ????????????
????:?
????:41.385 ??
MD5 ???:5a1e3b99e00dd5df99cc316ecfff5fb9
VDF ??:7.11.53.216 - donderdag 13 december 2012
IVDF ??:7.11.53.216 - donderdag 13 december 2012

 ???? ????:
   • ????


??:
   •  Mcafee: W32/Rontokbro.gen@MM
   •  Sophos: W32/Brontok-DB
   •  Bitdefender: Worm.Generic.73749
   •  Panda: W32/Brontok.CX.worm
     GData: Worm.Generic.73749


??/????:
   • Windows 2000
   • Windows XP
   • Windows 2003


???:
   • ??????
   • ???????????

 ?? ???????????:
   • %SYSDIR%\%?????%'s Setting.scr
   • %HOME%\Local Settings\Application Data\smss.exe
   • %HOME%\Local Settings\Application Data\lsass.exe
   • %HOME%\Local Settings\Application Data\csrss.exe
   • %WINDIR%\eksplorasi.exe
   • %HOME%\Local Settings\Application Data\winlogon.exe
   • %HOME%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Templates\WowTumpeh.com
   • %SYSDIR%\drivers\etc\hosts-Denied By-%?????%.com
   • %HOME%\Local Settings\Application Data\services.exe
   • %HOME%\Local Settings\Application Data\inetinfo.exe
   • %WINDIR%\ShellNew\bronstab.exe



?????????
C:\autoexec.bat



??????:

%HOME%\Local Settings\Application Data\ListHost9.txt
%HOME%\Local Settings\Application Data\Update.9.Bron.Tok.bin



??????????:

???:
   • explorer.exe


???:
   • %HOME%\Local Settings\Application Data\smss.exe


???:
   • %HOME%\Local Settings\Application Data\winlogon.exe


???:
   • at /delete /y


???:
   • at 17:08 /every:M,T,W,Th,F,S,Su "%HOME%\Templates\WowTumpeh.com"


???:
   • %HOME%\Local Settings\Application Data\services.exe


???:
   • %HOME%\Local Settings\Application Data\lsass.exe


???:
   • %HOME%\Local Settings\Application Data\inetinfo.exe

 ??? ????????????????????????:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"=""%HOME%\Local Settings\Application Data\smss.exe""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Bron-Spizaetus"=""%WINDIR%\ShellNew\bronstab.exe""



?????????????:

[HKCU\software\microsoft\windows\currentversion\Policies\System]
   • "DisableCMD"=dword:0x00000000
   • "DisableRegistryTools"=dword:0x00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NoFolderOptions"=dword:0x00000001



?????????:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   ??:
   • "Shell"="Explorer.exe "%WINDIR%\eksplorasi.exe""

[HKCU\Software\Microsoft\Internet Explorer\Toolbar\Explorer]
   ??:
   • "ITBarLayout"=hex:11,00,00,00,4C,00,00,00,00,00,00,00,34,00,00,00,1B,00,00,00,4E,00,00,00,01,00,00,00,20,07,00,00,A0,0F,00,00,05,00,00,00,62,05,00,00,26,00,00,00,02,00,00,00,21,07,00,00,A0,0F,00,00,04,00,00,00,21,01,00,00,A0,0F,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   ??:
   • "Hidden"=dword:0x00000000
   • "HideFileExt"=dword:0x00000001
   • "ShowSuperHidden"=dword:0x00000000

[HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
   ??:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,E0,01,EE,4E,D0,11,BF,E9,00,AA,00,5B,43,83,10,00,00,00,00,00,00,00,01,E0,32,F4,01,00,00,00

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   ??:
   • "Locked"=dword:0x00000001

 ???? ?????? SMTP ???????????? ?????????????? ?????????:


???:
?????????


???:
– ????????????????????
 ? WAB (Windows ???) ??????????


??:
– ?? HTML ???

??????????????

 ?? ???????????????:

?????????:
   • %??????%


????????????????:
   • %??????%


 ?? ?? Internet ???
   • http://www.geocities.com/sembilstabok/**********
   • http://www.geocities.com/sembilstabok/**********

 ?????? ????:
????????? Visual Basic ????


???????:
???????????????????????????????

Beschrijving ingevoegd door Petre Galan op maandag 11 april 2011
Beschrijving bijgewerkt door Petre Galan op maandag 11 april 2011

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.