Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Date discovered:25/04/2008
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:23.040 Bytes
MD5 checksum:9481e26583db9d77b301b1232d786e84
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Trojan.Win32.Agent.fxp
   •  F-Secure: Trojan.Win32.Agent.fxp
   •  Sophos: W32/IRCBot-ACE
   •  Eset: Win32/IRCBot.AAH
   •  Bitdefender: Win32.Worm.Slenfbot.B

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\texds.exe

It deletes the initially executed copy of itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • Terminal Execution Exchange Deamon Service = texds.exe

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: secure.freebsd.la
Port: 9798
Server password: su1c1d3
Channel: #ghetto#
Nickname: \00\USA\%random character string%
Password: 3atsh1t

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • jayloden.com; www.jayloden.com; www.spywareinfo.com; spywareinfo.com;
      www.spybot.info; spybot.info; kaspersky.com; kaspersky-labs.com;
      www.kaspersky.com; www.majorgeeks.com; majorgeeks.com;
      securityresponse.symantec.com; symantec.com; www.symantec.com;
      updates.symantec.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
      www.sophos.com; sophos.com; www.virustotal.com; virustotal.com;
      www.mcafee.com; mcafee.com; rads.mcafee.com; mast.mcafee.com;
      download.mcafee.com; dispatch.mcafee.com; us.mcafee.com;
      www.trendsecure.com; trendsecure.com; www.viruslist.com;
      viruslist.com; www.hijackthis.de; hijackthis.de; f-secure.com;
      www.f-secure.com; Merijn.org; www.Merijn.org; www.avp.com; avp.com;
      analysis.seclab.tuwien.ac.at; www.bleepingcomputer.com;
      bleepingcomputer.com; trendmicro.com; www.trendmicro.com;
      www.safer-networking.org; safer-networking.org; grisoft.com;

The modified host file will look like this:

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own process

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Описание добавил Andrei Gherman в(о) пятница, 25 июля 2008 г.
Описание обновил Andrei Gherman в(о) пятница, 25 июля 2008 г.

Назад . . . .