Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:TR/Fakealert.qma
发现日期:13/12/2012
类型:特洛伊木马
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:低程度
破坏 / 损害程度:低程度至中程度
静态文件:
文件大小:327.680 字节
MD5 校检和:C9B684BDEB0D836BDDBBEB74142EE5D6
VDF 版本:7.11.53.216 - donderdag 13 december 2012
IVDF 版本:7.11.53.216 - donderdag 13 december 2012

 况概描述 传播方法:
   • 无内置传播例程


别名:
   •  TrendMicro: TROJ_FAKEAV.CAB
   •  Sophos: Mal/FakeAV-MQ
   •  Microsoft: Rogue:Win32/FakeRean


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


副作用:
   • 阻止对安全网站的访问
   • 植入文件
   • 降低系统安全设置
   • 注册表修改


执行完毕之后会显示以下信息:




 文件 它将本身复制到以下位置:
   • %HOME%\Local Settings\Application Data\%随机字符串%.exe



它会删除其本身最初执行的副本。



创建以下文件:

– %TEMPDIR%\%随机字符串%
– %ALLUSERSPROFILE%\Application Data\%随机字符串%
– %HOME%\Local Settings\Application Data\%随机字符串%
– %TEMPDIR%\%随机字符串%
– %HOME%\Templates\%随机字符串%

 注册表 会添加以下注册表项目注册值:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DoNotAllowExceptions"=dword:00000000
   • "EnableFirewall"=dword:00000000
   • "DisableNotifications"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   • "EnableFirewall"=dword:00000000
   • "DoNotAllowExceptions"=dword:00000000
   • "DisableNotifications"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"

– [HKCR\.exe\shell\open\command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKCR\exefile\shell\open\command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKCR\exefile\shell\runas\command]
   • "(Default)"="\"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
   command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%PROGRAM FILES%\Intern"



会更改以下注册表项:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   新值:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001

 注入进程 – 它会将其本身作为远程线程注入到进程中。

    进程名:
   • iexplore.exe


 其他 访问 Internet 资源:
   • **********yziriryvi.com/%几个随机数字%;
      **********ipemura.com/%几个随机数字%;
      **********awekugygil.com/%几个随机数字%;
      **********ifyzadiby.com/%几个随机数字%;
      **********ijinymut.com/%几个随机数字%;
      **********uwemixonav.com/%几个随机数字%;
      **********exynogemi.com/%几个随机数字%;
      **********elaticik.com/%几个随机数字%;
      **********inolecowary.com/%几个随机数字%;
      **********ofociv.com/%几个随机数字%;
      **********ucerybaqecy.com/%几个随机数字%;
      **********upowibi.com/%几个随机数字%;
      **********ujykolenuja.com/%几个随机数字%;
      **********exyhun.com/%几个随机数字%;
      **********oralipijago.com/%几个随机数字%;
      **********ykacagatet.com/%几个随机数字%;
      **********ulipum.com/%几个随机数字%;
      **********isesyf.com/%几个随机数字%;
      **********ityvik.com/%几个随机数字%;
      **********ejutyhyfu.com/%几个随机数字%;
      **********usaseda.com/%几个随机数字%;
      **********ehiqino.com/%几个随机数字%;
      **********idicawisos.com/%几个随机数字%;
      **********ibipaj.com/%几个随机数字%;
      **********ixydyf.com/%几个随机数字%;
      **********unemymyko.com/%几个随机数字%;
      **********upinycom.com/%几个随机数字%;
      **********ygizeq.com/%几个随机数字%;
      **********emolezala.com/%几个随机数字%;
      **********ecolun.com/%几个随机数字%

Beschrijving ingevoegd door Andrei Ilie op woensdag 12 oktober 2011
Beschrijving bijgewerkt door Andrei Ilie op donderdag 13 oktober 2011

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.