Full description

Vírus	TR/Autorun.27648
Data em que surgiu:	19/05/2008
Tipo:	Trojan
Incluído na lista "In The Wild"	Sim
Nível de danos:	Baixo
Nível de distribuição:	De baixo a médio
Nível de risco:	Médio
Ficheiro estático:	Sim
Tamanho:	27648 Bytes
MD5 checksum:	25df082e988842e1604b5a893572a083
Versão IVDF:	7.00.04.62 - segunda-feira, 19 de maio de 2008

Vulgarmente Meio de transmissão:
   • Unidade de rede

Alias:
   • Mcafee: W32/Autorun.worm.f
   • Kaspersky: Worm.Win32.AutoRun.cpi
   • F-Secure: Worm.Win32.AutoRun.cpi
   • Sophos: W32/Autorun-BC
   • Grisoft: Worm/Generic.FNV
   • Eset: Win32/AutoRun.GR
   • Bitdefender: Worm.Autorun.Delf.H

Sistemas Operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efeitos secundários:
   • Desactiva aplicações de segurança
   • Descarrega ficheiros
   • Descarrega ficheiros
   • Baixa as definições de segurança
   • Altera o registo do Windows

Ficheiros Autocopia-se para as seguintes localizações
   • %WINDIR%\system.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Explorer.exe
   • %unidade%\auto.exe

São criados os seguintes ficheiros:

– %unidade%\autorun.inf É um ficheiro de texto não malicioso com o seguinte conteúdo:
   • %código que executa malware%

Tenta efectuar o download de alguns ficheiros:

– A partir das seguintes localizações:
   • http://72.232.108.82/~grimsby/**********/button1.jpg
   • http://72.232.108.82/~grimsby/**********/button1.pdf
   • http://72.232.108.82/~grimsby/**********/button1.png
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.pdf
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.png
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.txt
   • http://72.232.208.150/~aryacdc/**********/toc.gif
   • http://72.232.208.150/~aryacdc/**********/toc.pdf
   • http://72.232.208.150/~aryacdc/**********/toc.png
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.pdf
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.png
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.tpl
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.pdf
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.png
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.tpl
Ainda em fase de pesquisa.

Tenta executar o seguinte ficheiro:

– Executa um dos seguintes ficheiros:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe
Executa o ficheiro com um dos seguintes parâmetros: http://70.86.197.82/~ohnishi/**********/test2.htm

Registry (Registo do Windows) As seguintes chaves de registo e todos os valores são eliminados:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

São adicionadas as seguintes chaves ao registo:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Bkav2006.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IEProt.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdss.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\xcommsvr.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\livesrv.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\worm2007.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kav.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVOL.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TBMon.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kav32.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCAPP.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRegEx.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavsvc.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPTray.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RAVMON.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KavPFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SHSTAT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MAILMON.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MCAGENT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPLUS.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rtvscan.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvsvc32.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kvsrvxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KpopMon.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RfwMain.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWATCHUI.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MCVSESCN.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSKAGENT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVCenter.kxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavstart.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RAVTIMER.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RRfwMain.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FireTray.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpdaterUI.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXp_1.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavService.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\icesword.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmd.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\far.exe]
   • Debugger = system.exe

Altera as seguintes chaves de registo do Windows:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Valor anterior:
   • Shell = Explorer.exe
   • Userinit = %SYSDIR%\userinit.exe
   Valor recente:
   • Shell = Explorer.exe, System
   • Userinit = %SYSDIR%\userinit.exe, System

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
   Valor recente:
   • content url = http://clickmanu.com

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
   Valor recente:
   • content url = http://clickmanu.com

Home page do Internet Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Valor recente:
   • DisableTaskMgr = 1
   • DisableRegistryTools = 1

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Valor recente:
   • DisableTaskMgr = 1
   • DisableRegistryTools = 1

Home page do Internet Explorer:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Valor anterior:
   • Start Page = %definições do utilizador %
   Valor recente:
   • Start Page = http://clickmanu.com

Desactiva o Regedit e o Gestor de Tarefas:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Valor recente:
   • NoDriveTypeAutoRun = dword:00000091
   • NoRun = 1
   • NoFolderOptions = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Valor recente:
   • Hidden = 2
   • ShowSuperHidden = 0
   • HideFileExt = 1

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Valor recente:
   • CheckedValue = 0

– [HKCU\Software\Microsoft\Command Processor]
   Valor recente:
   • EnableExtensions = 0

– [HKCU\Software\Microsoft\Internet Explorer\New Windows]
   Valor recente:
   • PopupMgr = 0

Terminar o processo Desactiva processos em execução com um dos seguintes textos no nome do ficheiro:
   • Bkav2006.exe; IEProt.exe; bdss.exe; vsserv.exe; bdagent.exe;
      xcommsvr.exe; livesrv.exe; worm2007.exe; PFW.exe; Kav.exe; KVOL.exe;
      KVFW.exe; TBMon.exe; kav32.exe; kvwsc.exe; CCAPP.exe; EGHOST.exe;
      KRegEx.exe; kavsvc.exe; VPTray.exe; RAVMON.exe; KavPFW.exe;
      SHSTAT.exe; RavTask.exe; TrojDie.kxp.exe; Iparmor.exe; MAILMON.exe;
      MCAGENT.exe; KAVPLUS.exe; RavMonD.exe; Rtvscan.exe; Nvsvc32.exe;
      KVMonXP.exe; Kvsrvxp.exe; CCenter.exe; KpopMon.exe; RfwMain.exe;
      KWATCHUI.exe; MCVSESCN.exe; MSKAGENT.exe; kvolself.exe;
      KVCenter.kxp.exe; kavstart.exe; RAVTIMER.exe; RRfwMain.exe;
      FireTray.exe; UpdaterUI.exe; KVSrvXp_1.exe; RavService.exe;
      icesword.exe; cmd.exe; far.exe

Lista de serviços desactivados:
   • sharedaccess; RsCCenter; RsRavMon; KVWSC; KVSrvXP; McAfeeFramework;
      McShield; McTaskManager; navapsvc; wscsvc; KPfwSvc; SNDSrvc; ccProxy;
      ccEvtMgr; ccSetMgr; SPBBCSvc; Symantec Core LC; NPFMntor; MskService;
      FireSvc

Detalhes do ficheiro Linguagem de programação:
O programa de malware está escrito em Delphi.

Empacotador de Runtime:
De forma a agravar a detecção e reduzir o tamanho do ficheiro é lançado com o seguinte empacotador de runtime:
• UPX

Descrição enviada por Andrei Gherman em sexta-feira, 13 de junho de 2008
Descrição atualizada por Andrei Gherman em sexta-feira, 13 de junho de 2008

Voltar . . . .

Proteçao especial para PCs

Produtos gratuitos

Produtos mais populares

Todos os produtos

Soluçoes em pacote

Estaçoes de trabalho

Server

Soluçoes em pacote

Mail Gateways

Web Gateways

Plataformas de colaboraçao

Usuários domésticos

Empresas

Laboratório de vírus

Mais suporte

Seja um parceiro Avira

Usuários domésticos

Empresas

Deseja apenas experimentar um produto?

Manuais e ferramentas