Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Date discovered:03/11/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:94.208 Bytes
MD5 checksum:1E3066B7E6960505F567D28A529DDBA8
VDF version:
IVDF version: - Wednesday, November 3, 2010

 General Method of propagation:
   • Autorun feature

   •  Symantec: Backdoor.IRC.Bot
   •  Mcafee: W32/IRCbot.worm
   •  Kaspersky: Trojan.Win32.VBKrypt.rut
   •  TrendMicro: BKDR_IRCBOT.DAQ
   •  F-Secure: Backdoor.Bot.130321

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\oldbi.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Ci Servs"="oldbi.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • "Ci Servs"="oldbi.exe"

 IRC – Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Join IRC channel
    • Upload file

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:

Anti debugging
It checks for running programs that contain one of the following strings:
   • tcpview
   • filemon
   • procmon

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Andrei Ilie em segunda-feira, 21 de março de 2011
Descrição atualizada por Andrei Ilie em quarta-feira, 23 de março de 2011

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.