Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:RKit/Agent.deoh
发现日期:13/12/2012
广泛传播:
病毒传播个案呈报:低程度至中程度
感染/传播能力:低程度
破坏 / 损害程度:低程度
文件大小:6.400 字节
MD5 校检和:f48ec0c212f2a39dbb1ac08383cbaa9f
VDF 版本:7.11.53.216 - donderdag 13 december 2012
IVDF 版本:7.11.53.216 - donderdag 13 december 2012

 况概描述 传播方法:
   • 无内置传播例程


别名:
   •  Kaspersky: Rootkit.Win32.Agent.deoh
   •  Avast: Win32:Agent-AOTK


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


副作用:
   • 注册表修改

 注册表 会添加以下注册表项目注册值:

– [HKLM\SYSTEM\ControlSet001\Services\
   %已执行文件的名称,不含扩展名%]
   • ""=""
   • "DisplayName"="%已执行文件的名称,不含扩展名%"

– [HKLM\SYSTEM\ControlSet001\Services\
   %已执行文件的名称,不含扩展名%\Enum]
   • ""=""
   • "Count"="dword:0x00000000"
   • "INITSTARTFAILED"="dword:0x00000001"
   • "NextInstance"="dword:0x00000000"

– [HKLM\SYSTEM\ControlSet001\Services\
   %已执行文件的名称,不含扩展名%]
   • "ErrorControl"="dword:0x00000001"
   • "ImagePath"="\??\%目录名称%\%执行的文件%"

– [HKLM\SYSTEM\ControlSet001\Services\
   %已执行文件的名称,不含扩展名%\Security]
   • ""=""
   • "Security"="hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
   • ,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,\
   • ,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,\
   • ,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,\
   • ,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
   • ,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
   • ,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
   • ,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,\
   • ,00,00,05,12,00,00,00"

– [HKLM\SYSTEM\ControlSet001\Services\
   %已执行文件的名称,不含扩展名%]
   • "Start"="dword:0x00000003"
   • "Type"="dword:0x00000001"

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %已执行文件的名称,不含扩展名%]
   • ""=""
   • "DisplayName"="%已执行文件的名称,不含扩展名%"

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %已执行文件的名称,不含扩展名%\Enum]
   • ""=""
   • "Count"="dword:0x00000000"
   • "INITSTARTFAILED"="dword:0x00000001"
   • "NextInstance"="dword:0x00000000"

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %已执行文件的名称,不含扩展名%]
   • "ErrorControl"="dword:0x00000001"
   • "ImagePath"="\??\%目录名称%\%执行的文件%"

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %已执行文件的名称,不含扩展名%\Security]
   • ""=""
   • "Security"="hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
   • ,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,\
   • ,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,\
   • ,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,\
   • ,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
   • ,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
   • ,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,\
   • ,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,\
   • ,00,00,05,12,00,00,00"

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %已执行文件的名称,不含扩展名%]
   • "Start"="dword:0x00000003"
   • "Type"="dword:0x00000001"

 文件详细信息 编程语言:
该恶意软件程序是用 MS Visual C++ 编写的。

Beschrijving ingevoegd door Martin Muench op zaterdag 14 juli 2012
Beschrijving bijgewerkt door Martin Muench op zaterdag 14 juli 2012

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.