English
Deutsch
Francais
Español
Italian
Home
Virus Info
TR/Tcom.2
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Tcom.2 - Trojan
In alte limbi
Scurta descriere
Descriere completa
Statistici
How would you rate this information?
Worthless
Excellent
Nume:
TR/Tcom.2
Descoperit pe data de:
20/07/2005
Tip:
Troian
Subtip:
Downloader
ITW:
Nu
Numar infectii raportate:
Scazut
Potential de raspandire:
Scazut
Potential de distrugere:
Scazut
Fisier static:
Da
Marime:
26.624 Bytes
MD5:
8e3cf147f6d642b4e0808cec743d856e
Versiune VDF:
6.31.0.234
General
Metoda de raspandire:
• Nu are rutina proprie de raspandire
Alias:
• Symantec: Backdoor.Nibu.L
• Mcafee: BackDoor-CCT
• Kaspersky: Trojan-Spy.Win32.Agent.fe
• TrendMicro: TROJ_DUMADOR.AV
• VirusBuster: Backdoor.Dumador.BM
Sistem de operare:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Efecte secundare:
• Blocheaza accesul la website-uri ale firmelor de securitate
• Reduce setarile de securitate
• Inregistreaza intrarile de la tastatura
• Modificari in registri
• Sustrage informatii
Fisiere
Se copiaza in urmatoarea locatie:
•
%SYSDIR%
\windldra.exe
Sterge urmatorul fisier:
•
%WINDIR%
\send_logs_trigger
Sunt create fisierele:
–
%WINDIR%
\netdx.dat Indicator folosit pentru o rutina interna.
–
%WINDIR%
\dvpd.dll
–
%WINDIR%
\prntsvra.dll
–
%TEMPDIR%
\fe43e701.htm Acest fisier stocheaza datele introduse de utilizator la tastatura.
–
%WINDIR%
\prntc.log
–
%WINDIR%
\prntk.log
Registrii sistemului
Urmatoarea cheie este adaugata in registri pentru a rula procesul la repornirea sistemului:
– [HKLM\software\microsoft\windows\currentversion\run\]
• "load32"="
%SYSDIR%
\winldra.exe"
Urmatoarele chei sunt adaugate in registrii sistemului:
– [HKCU\software\sars\]
• "SocksPort"=dword:
%combinatie de caractere aleatoare%
– [HKCU\software\microsoft\internet explorer\main\]
• "AllowWindowReuse"=dword:00000000
Fisiere host
Fisierul
– In acest caz inregistrarile existente raman nemodificate.
– Accesul la urmatoarele domenii este blocat:
• www.trendmicro.com; trendmicro.com; rads.mcafee.com;
customer.symantec.com; liveupdate.symantec.com; us.mcafee.com;
updates.symantec.com; update.symantec.com; www.nai.com; nai.com;
secure.nai.com; dispatch.mcafee.com; download.mcafee.com;
www.my-etrust.com; my-etrust.com; mast.mcafee.com; ca.com; www.ca.com;
networkassociates.com; www.networkassociates.com; avp.com;
www.kaspersky.com; www.avp.com; kaspersky.com; www.f-secure.com;
f-secure.com; viruslist.com; www.viruslist.com;
liveupdate.symantecliveupdate.com; mcafee.com; www.mcafee.com;
sophos.com; www.sophos.com; symantec.com;
securityresponse.symantec.com; us.mcafee.com/root/; www.symantec.com
Fisierul hosts modificat va arata astfel:
Backdoor
Deschide porturile:
–
%fisier executat%
port TCP aleator pentru a functiona ca server proxy.
–
%fisier executat%
pe portul TCP 9125 pentru a oferi functionalitate de backdoor.
Servere contactate:
• http://222.36.41.**********/system32/logger.php
Astfel se pot transmite informatii. Aceasta se face printr-o interogare HTTP GET intr-un script PHP.
Trimte informatii despre:
• Loguri create
• Informatii despre retea
• ID-ul platformei
Furt de informatii
Incearca sa obtina urmatoarele informatii:
– Parolele din urmatoarele programe:
• WebMoney
• Far Manager
• Total Commander
• Outlook
• Outlook Express
– Este pornita o rutina de logare dupa ce viziteaza un site care contine unul din urmatoarele siruri de caractere in URL:
• "gold"; "Storm"; "e-metal"; "Money"; "money"; "WM Keeper"; "Keeper";
"Fethard"; "fethard"; "bull"; "Bull"; "mull"; "PayPal"; "Bank";
"bank"; "cash"; "anz"; "ANZ"; "shop"; "Shop"; "..."; "ebay"; "invest";
"casino"; "bookmak"; "pay"; "member"; "fund"; "Invest"; "Casino";
"Bookmak"; "Pay"; "Member"; "Fund"; "bet"; "Bet"; "bill"; "Bill";
"login"; "Login"
– Face captura la:
• Datele introduse de la tastatura
• Informatii legate de fereastra
• Fereastra browserului Internet
• Informatii de logare
Injectarea codului malware in alte procese
– Se injecteaza intr-un proces.
Numele procesului:
• Internet Explorer
Pentru o descriere scurta click
aici
.
Descriere introdusa de Sergiu Oprea la Wed, 03 Aug 2005 11:04 (GMT+1)
Descriere actualizata de Oliver Auerbach la Tue, 18 Oct 2005 21:47 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
W32/Elkern.C
Worm/Bagle.FJ
Worm/Mytob.DH
Worm/Netsky.D.Dam
Worm/Lovgate.W
Halifax 27
TR/Dldr.Agent.aizj
JS/Dldr.Small.CR.2
TR/Dldr.Agent.XAE
JS/Dldr.Agent.bbt
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Tcom.2
Print this page
.gif)
