Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
VrusWORM/Koobface.J
Data em que surgiu:21/10/2010
Tipo:Worm
Includo na lista "In The Wild"Sim
Nvel de danos:Baixo
Nvel de distribuio:Baixo
Nvel de risco:De baixo a mdio
Ficheiro esttico:Sim
Tamanho:331.776 Bytes
MD5 checksum:77be30318b2cdcb8c9708ba1ef04f5c0
Verso VDF:7.10.05.230
Verso IVDF:7.10.13.15 - quinta-feira, 21 de outubro de 2010

 Vulgarmente Meio de transmisso:
   • No tem rotinas de propagao


Alias:
   •  Kaspersky: Net-Worm.Win32.Koobface.hdz
   •  F-Secure: Net-Worm.Win32.Koobface.hdz
     Microsoft: Trojan:Win32/Koobface
   •  Eset: Win32/Koobface.NDI


Sistemas Operativos:
   • Windows 2000
   • Windows XP
    Windows Vista
    Windows 7


Efeitos secundrios:
   • Desactiva aplicaes de segurana
   • Descarrega um ficheiro malicioso
   • Altera o registo do Windows

 Ficheiros Autocopia-se para a seguinte localizao:
   • %WINDIR%\andy138.exe



So criados os seguintes ficheiros:

Ficheiros no maliciosos:
   • %WINDIR%\fdgg34353edfgdfdf
   • %WINDIR%\bk23567.dat

C:\3.reg Detectado como: TR/REG.Koobface.89

 Registry (Registo do Windows)  adicionado o seguinte valor ao registo do Windows de forma a que o processo seja executado depois do computador ser reiniciado:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "xuri49tkd"="%WINDIR%\andy138.exe"



Os valores da seguinte chave Registo so eliminados:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "syspptray"=-
   • "sysfbtray"=-



So adicionadas as seguintes chaves ao registo:

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   • "DisableAntiSpyware"=dword:00000001

[HKCR\Mime\Database\Content Type\application/xhtml+xml]
   • "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
   • "Extension"=".xml"
   • "Encoding"=hex:08,00,00,00

 Backdoor Contacta o servidor:
Seguintes:
   • 195.28.**********?action=fbgen&v=136&crc=669
   • 76.12.**********?action=fbgen&v=136&crc=669
   • 782cockta**********?action=fbgen&v=136&crc=669
   • 99**********?action=fbgen&v=136&crc=669
   • alimt**********?action=fbgen&v=136&crc=669
   • bigcoun**********?action=fbgen&v=136&crc=669
   • bizz**********?action=fbgen&v=136&crc=669
   • bmt**********?action=fbgen&v=136&crc=669
   • boxer**********?action=fbgen&v=136&crc=669
   • braitm**********?action=fbgen&v=136&crc=669
   • cedele**********?action=fbgen&v=136&crc=669
   • cfscons**********?action=fbgen&v=136&crc=669
   • christm**********?action=fbgen&v=136&crc=669
   • clarksh**********?action=fbgen&v=136&crc=669
   • counter.xtsd20**********?action=fbgen&v=136&crc=669
   • dancin**********?action=fbgen&v=136&crc=669
   • dip-a-d**********?action=fbgen&v=136&crc=669
   • djmu**********?action=fbgen&v=136&crc=669
   • draco-il**********?action=fbgen&v=136&crc=669
   • dreamch**********?action=fbgen&v=136&crc=669
   • ebesu**********?action=fbgen&v=136&crc=669
   • elect**********?action=fbgen&v=136&crc=669
   • emse**********?action=fbgen&v=136&crc=669
   • entertainme**********?action=fbgen&v=136&crc=669
   • eurobaustoff.marke**********?action=fbgen&v=136&crc=669
   • foods**********?action=fbgen&v=136&crc=669
   • frankne**********?action=fbgen&v=136&crc=669
   • godsho**********?action=fbgen&v=136&crc=669
   • gross**********?action=fbgen&v=136&crc=669
   • grupoc**********?action=fbgen&v=136&crc=669
   • hills**********?action=fbgen&v=136&crc=669
   • igles**********?action=fbgen&v=136&crc=669
   • indiana**********?action=fbgen&v=136&crc=669
   • infor**********?action=fbgen&v=136&crc=669
   • jugen**********?action=fbgen&v=136&crc=669
   • kerten**********?action=fbgen&v=136&crc=669
   • ledtlon**********?action=fbgen&v=136&crc=669
   • lene.aa**********?action=fbgen&v=136&crc=669
   • lifec**********?action=fbgen&v=136&crc=669
   • losek**********?action=fbgen&v=136&crc=669
   • mahjo**********?action=fbgen&v=136&crc=669
   • marios**********?action=fbgen&v=136&crc=669
   • mgmmdi**********?action=fbgen&v=136&crc=669
   • mswcon**********?action=fbgen&v=136&crc=669
   • my3boys.hittin**********?action=fbgen&v=136&crc=669
   • ottoma**********?action=fbgen&v=136&crc=669
   • pngse**********?action=fbgen&v=136&crc=669
   • polis**********?action=fbgen&v=136&crc=669
   • prostr**********?action=fbgen&v=136&crc=669
   • pvpont**********?action=fbgen&v=136&crc=669
   • raur**********?action=fbgen&v=136&crc=669
   • rdsch**********?action=fbgen&v=136&crc=669
   • rememberwhenohio.netf**********?action=fbgen&v=136&crc=669
   • renog**********?action=fbgen&v=136&crc=669
   • rentsa**********?action=fbgen&v=136&crc=669
   • s172760532.onl**********?action=fbgen&v=136&crc=669
   • s220405294.onlin**********?action=fbgen&v=136&crc=669
   • scambus**********?action=fbgen&v=136&crc=669
   • shann**********?action=fbgen&v=136&crc=669
   • silkroa**********?action=fbgen&v=136&crc=669
   • stellar**********?action=fbgen&v=136&crc=669
   • swimandscuba.netf**********?action=fbgen&v=136&crc=669
   • thecon**********?action=fbgen&v=136&crc=669
   • tommie**********?action=fbgen&v=136&crc=669
   • usedca**********?action=fbgen&v=136&crc=669
   • webster**********?action=fbgen&v=136&crc=669
   • welov**********?action=fbgen&v=136&crc=669
   • www.agap**********?action=fbgen&v=136&crc=669
   • www.aic**********?action=fbgen&v=136&crc=669
   • www.associaz**********?action=fbgen&v=136&crc=669
   • www.bastak**********?action=fbgen&v=136&crc=669
   • www.beauti**********?action=fbgen&v=136&crc=669
   • www.cayge**********?action=fbgen&v=136&crc=669
   • www.cheryl**********?action=fbgen&v=136&crc=669
   • www.edilt**********?action=fbgen&v=136&crc=669
   • www.heran**********?action=fbgen&v=136&crc=669
   • www.ilterrazzo**********?action=fbgen&v=136&crc=669
   • www.its-**********?action=fbgen&v=136&crc=669
   • www.limen**********?action=fbgen&v=136&crc=669
   • www.musi**********?action=fbgen&v=136&crc=669
   • www.oneonon**********?action=fbgen&v=136&crc=669
   • www.ricksmusi**********?action=fbgen&v=136&crc=669
   • www.sevenpi**********?action=fbgen&v=136&crc=669
   • www.suzann**********?action=fbgen&v=136&crc=669
   • www.tcab**********?action=fbgen&v=136&crc=669
   • www.vinfinit**********?action=fbgen&v=136&crc=669
   • xrysan**********?action=fbgen&v=136&crc=669
   • yanisl**********?action=fbgen&v=136&crc=669
   • yasary**********?action=fbgen&v=136&crc=669

Isto feito usando o mtodo HTTP POST atravs de scripts PHP.


Capacidades de controlo remoto:
     Download de ficheiros

 Informaes diversas  Procura uma ligao de internet contactando o seguinte web site:
   • www.google.com

Descrição enviada por Mihai Dilimot em sexta-feira, 1 de abril de 2011
Descrição atualizada por Mihai Dilimot em sexta-feira, 1 de abril de 2011

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.