Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Virus:TR/A.108544
Date discovered:27/04/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:108.544 Bytes
MD5 checksum:0227e05f0183120ac3e5b8df4086961f
IVDF version:7.10.06.222 - Tuesday, April 27, 2010

 General Methods of propagation:
    Autorun feature
   • Email


Aliases:
   •  Sophos: Troj/DelfInj-Q
   •  Bitdefender: Trojan.Generic.3822680
   •  Panda: W32/Pinit.J.worm
   •  Eset: Win32/Peerfrag.FD


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Lowers security settings
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %recycle bin%\%CLSID%\mgrls32.exe



It deletes the following files:
   • %TEMPDIR%\husu.exe
   • %SYSDIR%\DRIVERS\SET5.tmp
   • %TEMPDIR%\587.exe
   • %TEMPDIR%\bohvby.exe
   • %SYSDIR%\drivers\aec.sys
   • %SYSDIR%\drivers\aec.sys.bak
   • %TEMPDIR%\joujbvje.exe
   • %TEMPDIR%\hqgqrnbdunn.bat



The following files are created:

%recycle bin%\%CLSID%\Desktop.ini
%HOME%\ndisrd_m.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%HOME%\ndisrd.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%temporary internet files%\fjnvpk[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%TEMPDIR%\wsqptq.exe
%SYSDIR%\DRIVERS\SET5.tmp
%SYSDIR%\DRIVERS\ndisrd.sys
%temporary internet files%\fwevpovto[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

%HOME%\snetcfg.exe
%drive%\lsass.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

%HOME%\Application Data\Microsoft\Crypto\RSA\%CLSID%\a18ca4003deb042bbee7a40f15e1970b_1c1a3893-4672-472f-afbd-f2c903f9947c
%HOME%\ndisrd.sys
%TEMPDIR%\184.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Rimecud.N.3

%TEMPDIR%\jfrevf.exe Further investigation pointed out that this file is malware, too. Detected as: TR/ATRAPS.Gen

%TEMPDIR%\mcillbuu.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%temporary internet files%\oriqbjdp[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/ATRAPS.Gen

%TEMPDIR%\awkvrft.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%TEMPDIR%\bohvby.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

%SYSDIR%\regedit.exe
%TEMPDIR%\husu.exe
%TEMPDIR%\nrktcvy.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Gen

%SYSDIR%\drivers\aec.sys
%HOME%\drvsign.exe
%TEMPDIR%\hqgqrnbdunn.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%TEMPDIR%\587.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.AO.1250

%temporary internet files%\rvqxfn[1].htm
%temporary internet files%\imwaic[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%TEMPDIR%\joujbvje.exe
%temporary internet files%\fwelcx[1].htm
%SYSDIR%\drivers\zibmaunkvy9.sys Further investigation pointed out that this file is malware, too. Detected as: RKit/Tent.aui

%TEMPDIR%\a82d79a1.tmp
%temporary internet files%\loaderadv600[1].exe Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.AO.1250

%temporary internet files%\hypwhc[1].htm
%recycle bin%\%CLSID%\vsbntlo.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Rimecud.N.3

%temporary internet files%\yptozgozmu[1].htm Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen

%temporary internet files%\pr3xyy[1].exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Rimecud.N.3

%SYSDIR%\drivers\aec.sys.bak



It tries to download some files:

The location is the following:
   • http://81.214.13**********.58/?7c222e27396f222c272a2e396a22282c2e3969222c2e2b28397d222f397b222e396c222e2f29262f272f397a225c25434b7a726f43716d746b7c6966317a677a3978227671766b1f


The location is the following:
   • http://115.85.23**********.119/?560805134508060d00041340080206041343080604010213570805135108041346080405030c050d05135008760f6961505845695b475e4156434c1b504d501352085c5b5c4135


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The locations are the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%
   • http://bedayton.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://go-thailand-now.com/**********?user=%character string%


The locations are the following:
   • http://89.214.**********.17/?7e20283b6d202e25282c3b68202a2e2c3b6b202e2c292a3b7f202d3b79202c3b6e202c2d2b242d252d3b78205e27414978706d41736f76697e6b64337865783b7a20747374691d
   • http://62.149.**********.17/?9bc5c9cfde88c5cbc0cdc9de8dc5cfcbc9de8ec5cbc9cccfde9ac5c8de9cc5c9de8bc5c9c8cec1c8c0c8de9dc5bbc2a4ac9d9588a4968a938c9b8e81d69d809dde9fc59196918cf8


The location is the following:
   • http://go-thailand-now.com/**********?mode=%character string%&f=%number%


The location is the following:
   • http://go-thailand-now.com/**********?file=%character string%


The location is the following:
   • http://aebankonline.com/yulgbvqk/**********?id=%character string%&p=%number%


The location is the following:
   • http://go-thailand-now.com/**********?num=%number%


The locations are the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%
   • http://bedayton.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://89.146.16**********.198/?c49a969581d79a949f929681d29a90949681d19a9496939081c59a9781c39a9681d49a9697919e979f9781c29ae49dfbf3c2cad7fbc9d5ccd3c4d1de89c2dfc281c09acec9ced3a7


The location is the following:
   • http://89.146.13**********.94/?c59b979580d69b959e939780d39b91959780d09b9597929180c49b9680c29b9780d59b9796909f969e9680c39be59cfaf2c3cbd6fac8d4cdd2c5d0df88c3dec380c19bcfc8cfd2a6


The location is the following:
   • http://196.217.**********.104/?adf3fffae8bef3fdf6fbffe8bbf3f9fdffe8b8f3fdfffaf9e8acf3fee8aaf3ffe8bdf3fffef8f7fef6fee8abf38df4929aaba3be92a0bca5baadb8b7e0abb6abe8a9f3a7a0a7bace


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The locations are the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%
   • http://bedayton.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The locations are the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%
   • http://bedayton.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The locations are the following:
   • http://208.110.82.186/**********
   • http://96.0.203.114/**********


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The locations are the following:
   • http://go-thailand-now.com/**********?876377c509c3a3f1b59f91d4c2f18b0e
   • http://go-thailand-now.com/**********?a2c44929ca4ccf3fda5849fe6a74f9a7


The location is the following:
   • http://208.53.183.4/**********


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%


The location is the following:
   • http://aebankonline.com/ufwnltbz/**********?adv=%character string%&code1=%character string%&code2=%number%&id=%character string%&p=%number%


The location is the following:
   • http://go-thailand-now.com/**********?sub=%character string%&fid=%number%


The location is the following:
   • http://go-thailand-now.com/**********?sessid=%character string%


The location is the following:
   • http://!/**********?t=%number%&a&id=%character string%


The location is the following:
   • http://bedayton.com/**********




It tries to executes the following files:

Filename:
   • %TEMPDIR%\587.exe


Filename:
   • %TEMPDIR%\jfrevf.exe


Filename:
   • %TEMPDIR%\awkvrft.exe


Filename:
   • %TEMPDIR%\wsqptq.exe


Filename:
   • "drvsign.exe"


Filename:
   • "%SYSDIR%\cmd.exe" /c del %TEMPDIR%\587.exe > nul


Filename:
   • "snetcfg.exe" -v -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd


Filename:
   • runonce -r


Filename:
   • %TEMPDIR%\184.exe


Filename:
   • %TEMPDIR%\husu.exe


Filename:
   • %TEMPDIR%\joujbvje.exe


Filename:
   • %TEMPDIR%\nrktcvy.exe


Filename:
   • c:\lsass.exe exe %TEMPDIR%\nrktcvy.exe


Filename:
   • %TEMPDIR%\mcillbuu.exe


Filename:
   • "%SYSDIR%\cmd.exe" /c del %TEMPDIR%\husu.exe > nul


Filename:
   • %TEMPDIR%\bohvby.exe


Filename:
   • cmd /c %TEMPDIR%\hqgqrnbdunn.bat

 Registry The following registry keys are added in order to run the processes after reboot:



The following registry keys are added in order to load the service after reboot:

[HKLM\System\CurrentControlSet\Services\ndisrd]
   • "DisplayName"="WinpkFilter Service"
   • "ErrorControl"=dword:0x00000001
   • "Group"="PNP_TDI"
   • "ImagePath"="system32\DRIVERS\ndisrd.sys"
   • "Start"=dword:0x00000003
   • "Tag"=dword:0x00000009
   • "Type"=dword:0x00000001



The value of the following registry key is removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • internat.exe



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"=dword:0x00000000



The following registry keys are added:

[HKLM\SYSTEM\CurrentControlSet\Control\Network\NetCfgLockHolder]
   • "@"="Sample Netcfg Application (netcfg.exe)"

[HKLM\SYSTEM\CurrentControlSet\Control\Network\
   {4D36E974-E325-11CE-BFC1-08002BE10318}\
   {E72B696E-A8C6-409D-9061-F9F761901156}\Parameters]
   • "Param1"="4"

[HKLM\SYSTEM\CurrentControlSet\Control\Network\
   {4D36E974-E325-11CE-BFC1-08002BE10318}\
   {E72B696E-A8C6-409D-9061-F9F761901156}\Ndi]
   • "FilterClass"="failover"
   • "FilterDeviceInfId"="nt_ndisrdmp"
   • "HelpText"="WinpkFilter Driver"
   • "Service"="Ndisrd"

[HKLM\SYSTEM\CurrentControlSet\Control\Network\
   {4D36E974-E325-11CE-BFC1-08002BE10318}\
   {E72B696E-A8C6-409D-9061-F9F761901156}\Ndi\Interfaces]
   • "FilterMediaTypes"="ethernet, wan"
   • "LowerRange"="nolower"
   • "UpperRange"="noupper"

[HKLM\SYSTEM\CurrentControlSet\Control\Class\
   {4D36E972-E325-11CE-BFC1-08002BE10318}\0010]
   • "Characteristics"=dword:0x00000029
   • "ComponentId"="nt_ndisrdmp"
   • "DriverDate"="10-20-2005"
   • "DriverDateData"="%hex values%"
   • "DriverDesc"="WinpkFilter Miniport"
   • "DriverVersion"="3.0.0.1"
   • "FilterInfId"="nt_ndisrd"
   • "InfPath"="oem15.inf"
   • "InfSection"="NdisrdMP.ndi"
   • "MatchingDeviceId"="nt_ndisrdmp"
   • "NetCfgInstanceId"="{3176222F-F7CE-4460-BF0E-40F4C354CAD0}"
   • "ProviderName"="NTKR"

[HKCU\Software\Microsoft\Internet Explorer\Main]
   • "DHCP"="1069080"
   • "DNS"="AF6A3860,70CA3F13,1BF8782F,1BFF0A84,59B04312,D935A410,75C51962,75FEE8C0,7448CC6D,73F26375,1BF82AA1,76A1C295,744A298D,4F77A590,779A3332,73F1CC48,71203C96,D935A439,71C192E5,51541DED,53D80338,75FE0DD7,BDC26A29,7D636C89,75FEE135,77987384,BEAE0F53,75C2037C,3B5EED10,75FE7F74,75C32849,57442D77,598939D3,75C91217,70C5A4B6,70C52A68,6F5C886F,75C7B4BA,597B25C0,71C18E2C,73F208AF,779A8244,75C5B277,7A8A11A8,79F52698,B603C830,5EB7431A,59259351,75C59098,75C84704,77985045,75C003AA,29D6DE85,7C7880E9,779A79F1,70C9B1A6,75CC4477,BC191310,744A6621,BEF14F44,592E4343,5744F4D8,73BA06B0,70CB8C08,5B8998FB,779A827E,79F55472,7C7D5229,BD30D14B,75C541DB,75C7E1EF,74620477,B7574547,4E274B08,7375A14C,4E274B86,3BA17F28,779A7392,7375A6CC,75C6E399,3D02C121,7978AE86,D4105AEC,79180F5A,75C5906E,4D4E1302,70C8DFB3,73F09F78,3B676444,7375F50D,B6022311,73F0DB2F,BDDD995A,CA08EE7B,7C7B9672,75CF3606,70CACC5A,567E457D,70CB83E3,70C5DD42,3D01F761,5D9C625B,5429313A,BA5907D9,B630FEBC,592DDAF3,70C5077B,7BED2C4E,B6000BBE,CBC0E6A8,BB222A98,4E2724C8,737F08F3,CBC186DB,75C404EA,3BA1338B,546DC46E,77A64585,75C69E0F,BB037BF5,75CD11D3,70CA6B11,779A7141,7357A43A,6F5C8DB2,7CFDA5A1,BC1A1A3A,73F1CB4F,6DBA748E,70C9A8E5,D5A10549,70C5BC7F,70C5764A,B6042CA1,5EBDB005,59853196,3BA138F0,788A7EE4,779A3121,71FCF5B3,C4CE501C,73FC209B,73FC269D,29F83B00,70C5860C,75CE3313,765E52DC,73F0CF56,714C5E12,4DED43DB,762F6F3A,4FA36A09,70C5852A,73BA7306,5B89982B,79F56421,70CB9E79,73B89CE7,B45C9C2E,74620609,BB5A999E,599BC728,BB0F13A5,75C63246,7375CDCD,CA803015,70CD189F,576DE7DE,CA83A4BB,79E37365,3B59342C,3E8BDACB,75C4E570,779A778C,5C24DBD9,5DB189D7,29F92E6E,C9516F26,75C807AF,75CD61AA,75C7C420,C8140BC6,29D98B11,75FE0818,54FDCEAF,779A7F92,70C818E4,558255FB,C4CE681F,779A32C6,724FA678,5B490D6B,75C948EF,7BED442D,BA511B3D,73F1A5C1,75CF2545,CB7357E2,75C30E54,4F75A47A,7C7B7B41,5290BC31,4E3AA622,73B8DBDF,75F15882,4E274B0E,BA0E4535,6EE27356,7448D173,73F18EDE,59B8D9C0,7798FCB6,70CAA0E3,75C94AB0,B69C9F46,295C210D,79F536A6,74EE4131,779A24F6,71C1DADC,73FC2B41,779A74FE,3BA1390C,5EB7F4DB,79F56C7F,CBD727CF,3B5FD208,CEF840E1,4E274B3C,C4CE5957,7000F18B,50DDF9D1,5E345528,5744A38F,7449291C,79F51991,5D67AFC5,B75745F1,C85F9A7F,5B93DDC7,55CA2942,29CFDA4B,BCAD4294,4D4EF4AB,70C9A366,C4DA5732,BDC11407,C4CE56D6,5F6C0A6D,71C14A90,7C8234A4,C86D3D8C,70CE4E2C,BC1946F2,59D46501,7BEE798A,29FB8E36,5EB74357,BE496A74,5057F060,BE8E0D70,7C7B8FBF,3E8BDABE,C4D92A2A,7BEE7A3D,779A0CB4,70C5C2C7,6F5C8CBA,C9FE2C2F,3D01128A,C4D9D4A4,BE9E5CE3,73B8F15C,71C1E6D0,779A46EA,75C83B68,71C14E28,70C573C0,5928C587,CAA02E7A,75C7B3D7,5B539969,75FEA3C4,75621260,7BED1BDA,3B5E2DA1,7113210F,75FE6C09,3B5F64B5,5D674B2D,73F22E63,70CE0C55,75C95D7F,75CD221F,7A23564C,BE619917,7C7B0898,4F72794D,C89FC45B,75C51827,70CE55A0,7961A29A,70C525B7,3B6089DE,75C8C155,73A45184,73A4DBAF,79F58C00,BC81E8C7,3B5F0999"

[HKLM\SYSTEM\CurrentControlSet\Control\Network\
   {4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
   • "WinpkFilter Miniport"="1"

[HKLM\SYSTEM\CurrentControlSet\Control\Class\
   {4D36E972-E325-11CE-BFC1-08002BE10318}\0011]
   • "Characteristics"=dword:0x00000029
   • "ComponentId"="nt_ndisrdmp"
   • "DriverDate"="10-20-2005"
   • "DriverDateData"="%hex values%"
   • "DriverDesc"="WinpkFilter Miniport"
   • "DriverVersion"="3.0.0.1"
   • "FilterInfId"="nt_ndisrd"
   • "InfPath"="oem15.inf"
   • "InfSection"="NdisrdMP.ndi"
   • "MatchingDeviceId"="nt_ndisrdmp"
   • "NetCfgInstanceId"="{43179874-A743-444B-9A07-D10E4D8F4308}"
   • "ProviderName"="NTKR"



The following registry keys are changed:

[HKLM\SOFTWARE\Microsoft\Driver Signing]
   New value:
   • "Policy"=hex:0

[HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   New value:
   • "MaxUserPort"=dword:0x0000fffe

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
   New value:
   • "PrivateHash"="%hex values%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
The following:
   • Lonely Wives Looking For Hookup



Body:
– Contains HTML code.


Attachment:

The attachment is a copy of the malware itself.

 Backdoor The following ports are opened:

89.149.2**********.140 on UDP port 8811
89.149.2**********.222 on TCP port 65534

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Petre Galan em segunda-feira, 12 de julho de 2010
Descrição atualizada por Petre Galan em terça-feira, 20 de julho de 2010

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.