W32/Hidrag.a - Malware

In alte limbi

Scurta descriere

Descriere completa

Statistici

Nume:	W32/Hidrag.a
Descoperit pe data de:	13/04/2005
Tip:	File Infector
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut spre mediu
Potential de distrugere:	Scazut spre mediu
Fisier static:	Nu
Marime:	~ 36.352 Bytes
Versiune VDF:	6.30.00.93

General Metoda de raspandire:
   • Discuri de retea mapate

Alias:
   • Symantec: W32.Jeefo
   • Mcafee: W32/Jeefo
   • Kaspersky: Virus.Win32.Hidrag.a
   • TrendMicro: PE_JEEFO.A
   • F-Secure: Virus.Win32.Hidrag.a
   • Sophos: W32/Jeefo-A
   • Grisoft: Win32/Hidrag.A
   • Eset: Win32/Jeefo.A
   • Bitdefender: Win32.Jeefo.A

Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza un fisier malware
   • Modificari in registri

   Description

   W32/Hidrag.a is a non-dangerous memory resident virus that infects Win32 PE EXE files.

   The virus searches for files to infect and upon infection it encrypts part of the file.

   When an infected file is executed, it drops the first-generation infector in the Windows directory as svchost.exe, which is registered as "Power Manager" service (on Windows NT/2000/XP). The virus then executes the original file without manifesting itself in any way.

Fisiere Este creat fisierul:

– %WINDIR%\svchost.exe Fisierul este executat dupa ce a fost creat. Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: W32/Hidrag.a

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a incarca serviciul la repornirea sistemului:

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%WINDIR%\svchost.exe"
   • "DisplayName"="Power Manager"
   • "ObjectName"="LocalSystem"
   • "Description"="Manages the power save features of the computer."

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager]
   • "Security"=%valori hex%

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum]
   • "0"="Root\\LEGACY_POWERMANAGER\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

Alte informatii Mutex:
Creeaza urmatorul mutex:
• PowerManagerMutant

Sir de caractere:
In plus, mai contine urmatorul sir de caractere:
• Hidden Dragon virus. Born in a tropical swamp.

Pentru o descriere scurta click aici.

Descriere introdusa de Daniel Constantin la Tue, 03 Apr 2007 08:55 (GMT+1)
Descriere actualizata de Daniel Constantin la Tue, 03 Apr 2007 10:26 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back