Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Date discovered:23/12/2008
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:Yes
File size:782.336 Bytes
MD5 checksum:375306f0f224df1542b0343d5756b8a5
IVDF version:

 General Method of propagation:
   • Infects files

   •  Mcafee: W32/Virut.gen
   •  Sophos: W32/Vetor-A
   •  Panda: W32/Virutas.gen
   •  Eset: Win32/Virut.Q
   •  Bitdefender: IRC-Worm.Generic.4269

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Infects files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files The following files are created:

%PROGRAM FILES%\mIRC\IRC Bot\control.ini
%PROGRAM FILES%\mIRC\IRC Bot\remote.ini
%PROGRAM FILES%\mIRC\IRC Bot\svchost.exe
%PROGRAM FILES%\mIRC\IRC Bot\Anjing_Malingsia.sys
%PROGRAM FILES%\Microsoft Office
%PROGRAM FILES%\mIRC\IRC Bot\kontol.mrc
%PROGRAM FILES%\mIRC\IRC Bot\perampok_budaya.sys
%PROGRAM FILES%\mIRC\IRC Bot\Nama_Anjing.sys
%PROGRAM FILES%\mIRC\IRC Bot\Channel_Babi.sys
%PROGRAM FILES%\mIRC\IRC Bot\Nama_Babi.sys
%PROGRAM FILES%\mIRC\IRC Bot\Asshole.sys

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe, %PROGRAM FILES%\Microsoft Office\WINWORD.EXE"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Acha.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\wscript.exe]
   • "Debugger"="rundll32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AmyMastura.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001
   • "FirstRunDisabled"=dword:0x00000001
   • "UpdatesDisableNotify"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\registry.exe]
   • "Debugger"="cmd.exe /c del"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\csrsz.exe]
   • "Debugger"="cmd.exe /c del"

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "EnableLUA"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "ShowSuperHidden"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000

– [HKLM\SOFTWARE\Classes\exefile]
   New value:
   • "NeverShowExt"=""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   New value:
   • "CheckedValue"=dword:0x00000000
   • "DefaultValue"=dword:0x00000000
   • "UncheckedValue"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\wuauserv]
   New value:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   New value:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "load"=""

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

– [HKLM\SYSTEM\CurrentControlSet\Services\WinDefend]
   New value:
   • "Start"=dword:0x00000004
   • "Type"=dword:0x00000004

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.

Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


This direct-action infector actively searches for files.

This memory-resistent infector remains active in memory.

Infection length:

- 11.264 Bytes

The following file is infected:

By file type:
   • .exe

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: proxim.irc**********.pl
Port: 80
Channel: &virtu
Nickname: %random character string%

Port: 80
Channel: &virtu
Nickname: %random character string%

Server: 60.190.2**********.1**********
Port: 80
Channel: &virtu
Nickname: %random character string%

 Injection – It injects itself as a thread into a process.

    Process name:
   • winlogon.exe

– It injects a backdoor routine into a process.

    Process name:
   • %all running processes%

 Rootkit Technology  Hooks the following API functions:
   • NtCreateFile
   • NtOpenFile
   • NtCreateProcess
   • NtCreateProcessEx

Descrição enviada por Petre Galan em segunda-feira, 22 de março de 2010
Descrição atualizada por Petre Galan em quarta-feira, 24 de março de 2010

Voltar . . . .