Full description

Nume:	BDS/VB.avf
Descoperit pe data de:	29/08/2006
Tip:	Backdoor Server
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Mediu
Fisier static:	Da
Marime:	48.188 Bytes
MD5:	eecffebb81611d60d3c82748ac84433a
Versiune VDF:	6.35.00.107
Versiune IVDF:	6.35.00.133 - sexta-feira, 7 de julho de 2006

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Symantec: Infostealer.Lemir
   • Kaspersky: Backdoor.Win32.VB.avf
   • TrendMicro: BKDR_VB.SE
   • VirusBuster: Backdoor.VB.WOM
   • Bitdefender: Backdoor.VB.ARA

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere
   • Modificari in registri
   • Sustrage informatii
   • Posibilitatea accesului neautorizat la computer

Fisiere Se copiaza in urmatoarele locatii:
   • %WINDIR%\SMSS.EXE
   • %SYSDIR%\rundll32.com
   • %SYSDIR%\finder.com
   • %SYSDIR%\MSCONFIG.COM
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\regedit.com
   • %WINDIR%\finder.com
   • %WINDIR%\explorer.com
   • %WINDIR%\1.com
   • %WINDIR%\ExERoute.exe
   • %PROGRAM FILES%\Internet Explorer\iexplore.com
   • %SYSDIR%\command.pif
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • D:\pagefile.pif

Sunt create fisierele:

– %WINDIR%\BOOT.BIN.BAK
– D:\autorun.inf

Registrii sistemului Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TProgram"="%WINDIR%\SMSS.EXE"

Urmatoarele chei sunt adaugate in registrii sistemului:

– [HKCR\winfiles\DefaultIcon]
   • "(Default)"="%1"

– [HKCR\winfiles\Shell\Open\Command]
   • "(Default)"="%WINDIR%\ExERoute.exe "%1" %*"

Urmatoarele chei din registri sunt modificate:

– [HKCR\.lnk\ShellNew]
   Noua valoare:
   • "command"="rundll32.com appwiz.cpl,NewLinkHere %1"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Noua valoare:
   • "Check_Associations"="No"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Noua valoare:
   • "Shell"="Explorer.exe 1"

– [HKCR\.bfc\ShellNew]
   Noua valoare:
   • "command"="%SystemRoot%\system32\rundll32.com %SystemRoot%\system32syncui.dll,Briefcase_Create %2!d! %1"

– [HKCR\cplfile\shell\cplopen\command]
   Noua valoare:
   • "(Default)"="rundll32.com shell32.dll,Control_RunDLL %1,%*"

– [HKCR\dunfile\shell\open\command]
   Noua valoare:
   • "(Default)"="%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

– [HKCR\htmlfile\shell\Print\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Microsoft Office\Office10\msohtmed.exe" /p %1"

– [HKCR\inffile\shell\Install\command]
   Noua valoare:
   • "(Default)"="%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

– [HKCR\InternetShortcut\shell\open\command]
   Noua valoare:
   • "(Default)"="finder.com shdocvw.dll,OpenURL %l"

– [HKCR\scrfile\shell\install\command]
   Noua valoare:
   • "(Default)"="finder.com desk.cpl,InstallScreenSaver %l"

– [HKCR\scriptletfile\Shell\Generate Typelib\command]
   Noua valoare:
   • "(Default)"=""%SYSDIR%\finder.com" %WINDIR%\System32scrobj.dll,GenerateTypeLib "%1""

– [HKCR\telnet\shell\open\command]
   Noua valoare:
   • "(Default)"="finder.com url.dll,TelnetProtocolHandler %l"

– [HKCR\Unknown\shell\openas\command]
   Noua valoare:
   • "(Default)"="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

– [HKCR\htmlfile\shell\open\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– [HKCR\Applications\iexplore.exe\shell\open\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– [HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– [HKCR\ftp\shell\open\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– [HKCR\htmlfile\shell\opennew\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Common Files\iexplore.pif" %1"

– [HKCR\http\shell\open\command]
   Noua valoare:
   • "(Default)"=""%PROGRAM FILES%\Common Files\iexplore.pif" -nohome"

– [HKCR\Drive\shell\find\command]
   Noua valoare:
   • "(Default)"="%SystemRoot%\explorer.com"

– [HKCR\.exe]
   Noua valoare:
   • "(Default)"="winfiles"

Terminarea proceselor Lista cu procesele oprite:
   • CCENTER%combinatie de caractere aleatoare%;
      ASSISTSE%combinatie de caractere aleatoare%; KPFW%combinatie
      de caractere aleatoare%; AGENTSVR%combinatie de caractere
      aleatoare%; KV%combinatie de caractere aleatoare%;
      KREG%combinatie de caractere aleatoare%; IEFIND%combinatie
      de caractere aleatoare%; IPARMOR%combinatie de caractere
      aleatoare%; SVI.EXE; UPHC%combinatie de caractere
      aleatoare%; RULEWIZE%combinatie de caractere aleatoare%;
      FYGT%combinatie de caractere aleatoare%; RFWSRV%combinatie
      de caractere aleatoare%; RFWMA%combinatie de caractere
      aleatoare%

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Descrição enviada por Monica Ghitun em terça-feira, 29 de agosto de 2006
Descrição atualizada por Monica Ghitun em sexta-feira, 24 de novembro de 2006

Voltar . . . .

Proteçao especial para PCs

Produtos gratuitos

Produtos mais populares

Todos os produtos

Soluçoes em pacote

Estaçoes de trabalho

Server

Soluçoes em pacote

Mail Gateways

Web Gateways

Plataformas de colaboraçao

Usuários domésticos

Empresas

Laboratório de vírus

Mais suporte

Seja um parceiro Avira

Usuários domésticos

Empresas

Deseja apenas experimentar um produto?

Manuais e ferramentas