Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Virus:TR/Agent.77824
Date discovered:31/10/2006
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:77.824 Bytes
MD5 checksum:3e6dc704fc07eecd9628c1bb3969ac56
VDF version:6.36.00.198
IVDF version:6.36.00.217 - Tuesday, October 31, 2006

 General Method of propagation:
    Autorun feature


Aliases:
   •  Kaspersky: Trojan.Win32.VBKrypt.cwnm
   •  Bitdefender: Trojan.Generic.6201582
     GData: Trojan.Generic.6201582
     DrWeb: Trojan.Siggen2.29349


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\microsoft.exe
   • %HOME%\Application Data\scheb.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



It deletes the following file:
   • %TEMPDIR%\fla7DXG8N.tmp



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\fla7DXG8N.tmp



It tries to execute the following file:

Filename:
   • %HOME%\Application Data\scheb.exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Update System"="%HOME%\Application Data\scheb.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Update System"="%HOME%\Application Data\scheb.exe"



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "Windows Update System"="%HOME%\Application Data\scheb.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: minerva.cdm**********.org
Port: 6667
Channel: #spam#
Nickname: NEW[XX][XP]%number%

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • 127.0.0.1 www.virustotal.com
   • 127.0.0.1 www.pandasoftware.com
   • 127.0.0.1 www.norton.com
   • 127.0.0.1 www.nod32.com
   • 127.0.0.1 www.microsoft.com
   • 127.0.0.1 www.macafee.com
   • 127.0.0.1 www.kaspersky-labs.com
   • 127.0.0.1 www.hotmail.com
   • 127.0.0.1 www.download.mcafee.com
   • 127.0.0.1 pandasoftware.com
   • 127.0.0.1 norton.com
   • 127.0.0.1 nod32.com
   • 127.0.0.1 microsoft.com
   • 127.0.0.1 macafee.com
   • 127.0.0.1 bitdefender.com
   • 127.0.0.1 www.virusscan.jotti.org
   • 127.0.0.1 www.viruslist.com
   • 127.0.0.1 www.virscan.org
   • 127.0.0.1 www.trendmicro.com
   • 127.0.0.1 www.symantec.com
   • 127.0.0.1 www.sophos.com
   • 127.0.0.1 www.networkassociates.com
   • 127.0.0.1 www.nai.com
   • 127.0.0.1 www.my-etrust.com
   • 127.0.0.1 www.mcafee.com
   • 127.0.0.1 www.kaspersky.com
   • 127.0.0.1 www.grisoft.com
   • 127.0.0.1 www.f-secure.com
   • 127.0.0.1 www.ca.com
   • 127.0.0.1 www.avp.com
   • 127.0.0.1 virustotal.com
   • 127.0.0.1 virusscan.jotti.org
   • 127.0.0.1 viruslist.com
   • 127.0.0.1 virscan.org
   • 127.0.0.1 us.mcafee.com
   • 127.0.0.1 updates.symantec.com
   • 127.0.0.1 update.symantec.com
   • 127.0.0.1 trendmicro.com
   • 127.0.0.1 threatexpert.com
   • 127.0.0.1 symantec.com
   • 127.0.0.1 sophos.com
   • 127.0.0.1 securityresponse.symantec.com
   • 127.0.0.1 secure.nai.com
   • 127.0.0.1 scanner.novirusthanks.org
   • 127.0.0.1 rads.mcafee.com
   • 127.0.0.1 networkassociates.com
   • 127.0.0.1 nai.com
   • 127.0.0.1 my-etrust.com
   • 127.0.0.1 mcafee.com
   • 127.0.0.1 mast.mcafee.com
   • 127.0.0.1 liveupdate.symantecliveupdate.com
   • 127.0.0.1 liveupdate.symantec.com
   • 127.0.0.1 kaspersky.com
   • 127.0.0.1 kaspersky-labs.com
   • 127.0.0.1 f-secure.com
   • 127.0.0.1 download.mcafee.com
   • 127.0.0.1 dispatch.mcafee.com
   • 127.0.0.1 customer.symantec.com
   • 127.0.0.1 ca.com
   • 127.0.0.1 avp.com


 Miscellaneous Mutex:
It creates the following Mutex:
   • TTKRJPJD6S8GJHGT68DDJSOMSDL

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrição enviada por Petre Galan em segunda-feira, 18 de julho de 2011
Descrição atualizada por Petre Galan em segunda-feira, 18 de julho de 2011

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.