English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/Drop.Bomka.G.2
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/Drop.Bomka.G.2 - Trojan
In alte limbi
Scurta descriere
Descriere completa
Statistici
How would you rate this information?
Worthless
Excellent
Nume:
TR/Drop.Bomka.G.2
Descoperit pe data de:
09/02/2006
Tip:
Troian
Subtip:
Dropper
ITW:
Nu
Numar infectii raportate:
Scazut
Potential de raspandire:
Scazut
Potential de distrugere:
Scazut spre mediu
Fisier static:
Da
Marime:
185.953 Bytes
MD5:
141dd10Ecaaffae90828993c1f2aab70
Versiune VDF:
6.33.00.212
General
Metoda de raspandire:
• Nu are rutina proprie de raspandire
Alias:
• Mcafee: AdClicker-DW
• TrendMicro: TROJ_BOMKA.G
• Sophos: Troj/Bombka-F
• Panda: Trj/Dropper.QN
• Bitdefender: Trojan.Downloader.Bomka.G
Sistem de operare:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
Efecte secundare:
• Creeaza fisiere
• Creeaza un fisier malware
• Modificari in registri
• Sustrage informatii
Fisiere
Sunt create fisierele:
– Un fisier temporar care poate fi sters dupa aceea:
•
%TEMPDIR%
\ns
%combinatie de caractere aleatoare%
.tmp
–
%SYSDIR%
\kaboom.dll Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: TR/Dldr.Bomka.G
–
%TEMPDIR%
\game1.exe Fisierul este executat dupa ce a fost creat.
Registrii sistemului
Inregistreaza un browser helper object (BHO) prin adaugarea urmatoarelor chei in registri:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}]
– [HKCR\Horde.Labspak]
• @="Labspak"
– [HKCR\Horde.Labspak\CLSID]
• @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}"
– [HKCR\Horde.Labspak\CurVer]
• @="Horde.Labspak.1"
– [HKCR\Horde.Labspak.1]
• @="Labspak"
– [HKCR\Horde.Labspak.1\CLSID]
• @="{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}"
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}]
• @="Labspak"
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\InprocServer32]
• @="
%SYSDIR%
\kaboom.dll"
• "ThreadingModel"="Apartment"
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\ProgID]
• @="Horde.Labspak.1"
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\Programmable]
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\TypeLib]
• @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}"
– [HKCR\CLSID\{FAFC3FDD-D9E8-4770-843D-F105F0D7E409}\
VersionIndependentProgID]
• @="Horde.Labspak"
– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0]
• @="KABOOMLib"
– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\0\win32]
• @="
%SYSDIR%
\kaboom.dll"
– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\FLAGS]
• @="0"
– [HKCR\TypeLib\{90EC7761-4998-4536-B4D7-9EB72ADB3042}\3.0\HELPDIR]
• @="
%SYSDIR%
\"
Urmatoarele chei sunt adaugate in registrii sistemului:
– [HKLM\SOFTWARE\Microsoft\Zeal]
• "campaign_id"="18"
• "is_dialup"=dword:
%numar hexazecimal%
• "user_id"="
%sir de 6 caractere aleatoare%
"
• "sleep_delay"=dword:
%numar hexazecimal%
• "install_delay"=dword:
%numar hexazecimal%
• "main_delay"=dword:
%numar hexazecimal%
• "stage"=dword:
%numar hexazecimal%
• "timeout"=dword:
%numar hexazecimal%
– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}]
• @="ILabspak"
– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\
ProxyStubClsid]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\
ProxyStubClsid32]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{9F111438-8C25-4BEB-A9F6-841FD4728B22}\TypeLib]
• @="{90EC7761-4998-4536-B4D7-9EB72ADB3042}"
• "Version"="3.0"
Backdoor
Servere contactate:
Unul dintre:
• joywebserfer.com/counter11/**********
• cleverhead.info/counter11/**********
• wannabcool.info/counter11/**********
• somethngcool.info/counter11/**********
• sortbycool.info/counter11/**********
• mucho-cool.com/counter11/**********
• epromosystems.com/counter11/**********
Urmatorul:
• mucho-cool.com/counter11/**********
Astfel se pot transmite informatii si se poate obtine control la distanta. Aceasta se face printr-o interogare HTTP GET intr-un script PHP.
Raspunsul serverului este scris in fisierul:
%TEMPDIR%
\s32o.%random number%
Trimte informatii despre:
• Numele sistemului
• Utilizatorul curent
• Tipul conexiunii la Internet
• ID-ul platformei
Posibilitati de control la distanta:
• Vizitarea unui website
Injectarea codului malware in alte procese
– Injecteaza fisierul urmator intr-un proces: kaboom.dll
Numele procesului:
• iexplore.exe
Detaliile fisierului
Limbaj de programare:
Limbaj de programare folosit: C (compilat cu Microsoft Visual C++).
Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit urmatorul program de arhivare:
• UPX
Pentru o descriere scurta click
aici
.
Descriere introdusa de Daniel Constantin la Tue, 14 Feb 2006 09:21 (GMT+1)
Descriere actualizata de Daniel Constantin la Tue, 14 Feb 2006 09:37 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info 
Print this page
.gif)
