Full description

Vírus	TR/Joleee.53248
Data em que surgiu:	03/11/2009
Tipo:	Trojan
Incluído na lista "In The Wild"	Sim
Nível de danos:	De baixo a médio
Nível de distribuição:	Baixo
Nível de risco:	De baixo a médio
Ficheiro estático:	Sim
Tamanho:	53.248 Bytes
MD5 checksum:	5210d61c407275a8a2fe9c991a7844e9
Versão IVDF:	7.01.06.185 - terça-feira, 3 de novembro de 2009

Vulgarmente Alias:
   • Mcafee: W32/IRCbot.gen
   • Sophos: Mal/Generic-A
   • Panda: W32/Joleee.J.worm
   • Eset: Win32/IRCBot
   • Bitdefender: Trojan.Generic.1646652

Sistemas Operativos:
   • Windows 2000
   • Windows XP
   • Windows 2003

Efeitos secundários:
   • Descarrega ficheiros maliciosos
   • Altera o registo do Windows

Ficheiros Autocopia-se para a seguinte localização:
   • %SYSDIR%\adsldpcm.exe

Apaga a cópia executada inicialmente.

É criado o seguinte ficheiro:

– %SYSDIR%\1962655114.dat

Tenta executar o seguinte ficheiro:

– Executa um dos seguintes ficheiros:
   • %SYSDIR%\adsldpcm.exe;240;%directório de execução do malware%\%ficheiro executado%

– Executa um dos seguintes ficheiros:
   • svchost.exe "%SYSDIR%\adsldpcm.exe"

Registry (Registo do Windows) São adicionadas as seguintes chaves ao registo:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapw32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVWNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardgui.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\outpost.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Navapsvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zanda.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASMain.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KASTask.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caavguiscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\DRWEB32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPWin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxservice.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zapro.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashDisp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\preupd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\scan32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FPAVServer.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fpscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\casecuritycenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FAMEH32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAV32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz4.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPF.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdinit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\arcavir.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HijackThis.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\filemon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\OllyDBG.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmdagent.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfFnUp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVW32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avadmin.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashUpd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\autoruns.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashEnhcd.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zoneband.dll]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Vba32arkit.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\guardxup.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\caav.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVStart.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regmon.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.com]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\navigator.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ArcaCheck.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\zonealarm.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vba32ldr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AvMonitor.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVP32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\niu.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avz_se.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\nod32krn.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\aswUpdSv.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVNT.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsgk32st.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cfpupdat.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\fsav32.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Zlh.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconsol.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pskdr.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KPFW32X.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avconfig.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPFW.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcls.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\a2service.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgrssvc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwadins.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVDX.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avscan.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FSMA32.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\NAVSTUB.EXE]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashServ.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RegTool.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\drwebupw.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccupdate.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvcc.exe]
   • "Debugger"="ntsd -d"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\GFRing3.exe]
   • "Debugger"="ntsd -d"

O seguinte valor do registo é alterado:

– [HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
   Valor recente:
   • "DisableRawSecurity"=dword:0x00000001

Backdoor É aberta a seguinte porta:

– 239.255.2**********.2********** numa porta UDP 1900

Detalhes do ficheiro Empacotador de Runtime:
De forma a agravar a detecção e reduzir o tamanho do ficheiro é lançado com um empacotador de runtime.

Descrição enviada por Petre Galan em quarta-feira, 7 de abril de 2010
Descrição atualizada por Petre Galan em quarta-feira, 7 de abril de 2010

Voltar . . . .

Proteçao especial para PCs

Produtos gratuitos

Produtos mais populares

Todos os produtos

Soluçoes em pacote

Estaçoes de trabalho

Server

Soluçoes em pacote

Mail Gateways

Web Gateways

Plataformas de colaboraçao

Usuários domésticos

Empresas

Laboratório de vírus

Mais suporte

Seja um parceiro Avira

Usuários domésticos

Empresas

Deseja apenas experimentar um produto?

Manuais e ferramentas