Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Virus:DR/Autoit.YH.331
Date discovered:24/08/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:570.044 Bytes
MD5 checksum:8c78dc19db83e8ad55eb4a8732476d57
VDF version:7.10.04.195
IVDF version:7.10.11.04 - Tuesday, August 24, 2010

 General Methods of propagation:
    Autorun feature
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Autorun.worm.zf.gen
   •  Sophos: W32/AutoIt-LA
   •  Bitdefender: Trojan.Autoit.ALR
   •  Panda: Trj/Autoit.gen
   •  Eset: Win32/Tifaut.D


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\alokium.exe
   • %SYSDIR%\csrcs.exe



It deletes the following files:
   • %TEMPDIR%\nonrlim
   • %TEMPDIR%\jicnohr
   • %TEMPDIR%\aut%number%.tmp



The following files are created:

%drive%\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\nonrlim
%TEMPDIR%\aut%number%.tmp
%TEMPDIR%\jicnohr



It tries to execute the following file:

Filename:
   • %SYSDIR%\csrcs.exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "csrcs"="%SYSDIR%\csrcs.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "csrcs"="%SYSDIR%\csrcs.exe"



The following registry key is added:

[HKLM\Software\Microsoft\DRM\amty]
   • "ilop"="1"



The following registry keys are changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe csrcs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002
   • "ShowSuperHidden"=dword:0x00000000
   • "SuperHidden"=dword:0x00000000

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • "CheckedValue"=dword:0x00000001

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves shared folders by querying the following registry keys:
   • HKCU\Software\Shareaza\Shareaza
   • HKLM\SOFTWARE\LimeWire
   • HKCU\Software\Kazaa\LocalContent
   • HKLM\SOFTWARE\DC++
   • HKCU\Software\eMule
   • HKCU\Software\Ares


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.whatismyip.com/automation/n09230945.asp
Accesses internet resources:
   • http://suse.extasix.com/**********
   • http://www.5eb149c0.com/**********
   • http://wre.extasix.com/**********


Mutex:
It creates the following Mutex:
   • df8g1sdf68g18er1g8re16

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Petre Galan em sexta-feira, 4 de fevereiro de 2011
Descrição atualizada por Petre Galan em sexta-feira, 4 de fevereiro de 2011

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.