Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:TR/Rogue.KD.744776
发现日期:13/12/2012
类型:特洛伊木马
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:低程度至中程度
破坏 / 损害程度:中等程度
文件大小:966656 字节
MD5 校检和:9f7e870865b7dfb2219a0f547389b742
VDF 版本:7.11.53.216 - donderdag 13 december 2012
IVDF 版本:7.11.53.216 - donderdag 13 december 2012

 况概描述 传播方法:
   • 视窗自动运行Autorun功能
   • 局域网络
   • Messenger


别名:
   •  Kaspersky: Worm.Win32.Ngrbot.mbn
   •  Bitdefender: Trojan.Generic.KD.744776
   •  Grisoft: BackDoor.Agent.ASAY
   •  Eset: Win32/Dorkbot.B worm
   •  GData: Trojan.Generic.KD.744776
   •  Norman: Trojan W32/Troj_Generic.EMNWO


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


副作用:
   • 被用于修改系统设置,允许或扩大潜在的恶意行为。
   • 注册表修改

 文件 它将本身复制到以下位置:
   • %appdata%\%六位数的随机字符串%.exe

 注册表 会添加以下某个注册值,以便在重新引导后运行进程:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Bwzizj"="%appdata%\%六位数的随机字符串%.exe"



会添加以下注册表项,以便在系统重新引导之后加载服务:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aif\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aifc\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .aiff\OpenWithProgids]
   • "AIFFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asf\OpenWithProgids]
   • "ASFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .asx\OpenWithProgids]
   • "ASXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .au\OpenWithProgids]
   • "AUFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .avi\OpenWithProgids]
   • "avifile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .bmp\OpenWithProgids]
   • "Paint.Picture"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .css\OpenWithProgids]
   • "CSSfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dib\OpenWithProgids]
   • "Paint.Picture"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .doc\OpenWithProgids]
   • "WordPad.Document.1"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .dvr-ms\OpenWithProgids]
   • "WMP.DVR-MSFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .emf\OpenWithProgids]
   • "emffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .gif\OpenWithProgids]
   • "giffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .htm\OpenWithProgids]
   • "htmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .html\OpenWithProgids]
   • "htmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .ico\OpenWithProgids]
   • "icofile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .IVF\OpenWithProgids]
   • "IVFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jfif\OpenWithProgids]
   • "pjpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpe\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpeg\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .jpg\OpenWithProgids]
   • "jpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m1v\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .m3u\OpenWithProgids]
   • "m3ufile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mid\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .midi\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp2v\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mp3\OpenWithProgids]
   • "mp3file"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpa\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpe\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpeg\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpg\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mpv2\OpenWithProgids]
   • "mpegfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .png\OpenWithProgids]
   • "pngfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rmi\OpenWithProgids]
   • "midfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .rtf\OpenWithProgids]
   • "rtffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .snd\OpenWithProgids]
   • "AUFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tif\OpenWithProgids]
   • "TIFImage.Document"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .tiff\OpenWithProgids]
   • "TIFImage.Document"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .txt\OpenWithProgids]
   • "txtfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wav\OpenWithProgids]
   • "soundrec"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wax\OpenWithProgids]
   • "WAXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wm\OpenWithProgids]
   • "ASFFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wma\OpenWithProgids]
   • "WMAFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmf\OpenWithProgids]
   • "wmffile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmv\OpenWithProgids]
   • "WMVFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmx\OpenWithProgids]
   • "ASXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wpl\OpenWithProgids]
   • "WPLFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wri\OpenWithProgids]
   • "wrifile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wvx\OpenWithProgids]
   • "WVXFile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xml\OpenWithProgids]
   • "xmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .xsl\OpenWithProgids]
   • "xslfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .zip\OpenWithProgids]
   • "CompressedFolder"=hex:



会添加以下注册表项目注册值:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .eml\OpenWithProgids]
   • "Microsoft Internet Mail Message"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mht\OpenWithProgids]
   • "mhtmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .mhtml\OpenWithProgids]
   • "mhtmlfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .nws\OpenWithProgids]
   • "Microsoft Internet News Message"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .URL\OpenWithProgids]
   • "InternetShortcut"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wdp\OpenWithProgids]
   • "wdpfile"=hex:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
   .wmp\OpenWithProgids]
   • "WMPFile"=hex:

 其他 互联网连接:
为了检查互联网连接,会访问以下 DNS 服务器:
   • sp.3**********.kz


事件处理程序 (Event Handler):
它会创建事件处理程序:
   • ReadProcessMemory
   • WriteProcessMemory
   • CreateRemoteThread
   • InternetReadFile
   • URLDownloadToFile
   • InternetOpenUrl
   • InternetOpen
   • CreateFile


字符串:
此外,它还包含以下字符串:
   • AV_sites
   • Money_sites
   • Socialnetworks
   • Starting flood
   • IRC Command
   • login
   • password
   • banking
   • pin
   • money
   • account
   • login.yahoo.*/*login*
   • facebook.*/login.php*
   • runescape*/*weblogin*
   • mediafire.com/*login*
   • freakshare.com/login*
   • uploading.com/*login*
   • filesonic.com/*login*
   • namecheap.com/*login*
   • vkontakte.ru/api.php
   • friendster.*/rpc.php
   • steampowered*/login*
   • megaupload.*/*login*
   • sendspace.com/login*
   • TextfieldPassword=*
   • fileserv.com/login*
   • loginUserPassword=*
   • uploaded.to/*login*
   • alertpay.com/login*
   • moniker.com/*Login*
   • dotster.com/*login*
   • Friendster Message
   • signin.ebay*SignIn
   • 4shared.com/login*
   • hotfile.com/login*
   • netflix.com/*ogin*
   • godaddy.com/login*
   • HTTP Traffic]: %s
   • USB]: Infected %s
   • aol.*/*login.psp*

 文件详细信息 编程语言:
该恶意软件程序是用 MS Visual C++ 编写的。

Beschrijving ingevoegd door Wensin Lee op woensdag 3 oktober 2012
Beschrijving bijgewerkt door Wensin Lee op woensdag 3 oktober 2012

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.