Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Date discovered:03/07/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:94.720 Bytes
MD5 checksum:C142F7941922369C46E948FF508F67CE
VDF version: - Tuesday, July 3, 2012
IVDF version: - Tuesday, July 3, 2012

 General Method of propagation:
    Autorun feature

   •  Mcafee: PWS-Spyeye
   •  Kaspersky: Worm.Win32.Cridex.dc
     Microsoft: Worm:Win32/Cridex.B
   •  Grisoft: SHeur4.AHBZ
   •  Eset: Win32/AutoRun.Spy.Banker.M worm
     DrWeb: Trojan.DownLoader6.13798

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7

Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\KB00027502.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\POS1.tmp Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

   • "KB00027502.exe"="%APPDATA%\KB00027502.exe"

The following registry keys are added:

[HKCU\Software\Microsoft\Windows Media Center\C36E1C63]
[HKCU\Software\Microsoft\Windows Media Center\2FB0C48D]
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "GlobalUserOffline"=dword:00000000

 Backdoor Contact server:
One of the following:
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru

As a result it may send information and remote control could be provided.

 Injection It injects itself as a remote thread into a process.

    Process name:
   • %WINDIR%\Explorer.EXE

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Descrição enviada por Daniel Mocanu em quarta-feira, 8 de agosto de 2012
Descrição atualizada por Daniel Mocanu em quarta-feira, 8 de agosto de 2012

Voltar . . . .
https:// Esta janela é criptografada para sua segurança.