Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Virus:TR/ZZDimy.13
Date discovered:15/05/2009
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:feb9fcb58b7537c47a0Cfc1c00702b50
IVDF version:7.01.03.215 - Friday, May 15, 2009

 General Aliases:
   •  Symantec: Backdoor.Paproxy
   •  Mcafee: Generic Proxy!a trojan !!!
   •  Kaspersky: Trojan.Win32.Agent2.jyy
   •  Panda: W32/Koobface.AD.worm
   •  Eset: a variant of Win32/Tinxy.AD trojan


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SYS32DLL.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • C:\SYS32DLL.bat



The following file is created:

– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The location is the following:
   • http://85.13**********/v50/?v=63&s=I&uid=0&p=6004&q=
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "7171:TCP"="7171:TCP:*:Enabled:SYS32DLL"
   • "80:TCP"="80:TCP:*:Enabled:SYS32DLL"



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyServer"="http=localhost:7171"
   • "ProxyOverride"="*.local;"
   • "ProxyEnable"=dword:00000001

 Backdoor The following port is opened:

%SYSDIR%\SYS32DLL.exe on TCP port 7171 in order to provide an HTTP server.


Contact server:
One of the following:
   • yy-d**********.com
   • zz-d**********.com


 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Descrição enviada por Petre Galan em terça-feira, 6 de outubro de 2009
Descrição atualizada por Andrei Ivanes em quarta-feira, 7 de outubro de 2009

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.