Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Date discovered:27/04/2011
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:165.376 Bytes
MD5 checksum:08120d644f58ca9c67f915479cc28209
VDF version:
IVDF version:

 General Aliases:
   •  Kaspersky: Backdoor.Win32.Gbot.ebg
   •  F-Secure: Trojan.Downloader.JOIC
   •  Bitdefender: Trojan.Downloader.JOIC
   •  GData: Trojan.Downloader.JOIC
   •  DrWeb: Trojan.DownLoader2.39361

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability
      •  CVE-2007-1204
      •  MS07-019

 Files It copies itself to the following location:
   • %HOME%\Application Data\Microsoft\conhost.exe

The following file is created:

– %HOME%\Application Data\01E2.543

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "EnableFirewall"=dword:0x00000000

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com
Accesses internet resources:
   • http://onlinedatingsecretfriends.com/images/**********?v93=%number%&tq=%character string%
   • http://zonedg.com/**********?tq=%character string%
   • http://wapmobilesoftonline.com/blog/images/**********?v91=%number%&tq=%character string%
   • http://videosamplestore.com/blog/images/**********?v46=%number%&tq=%character string%
   • http://xprstats.com/images/**********?tq=%character string%
   • http://122343234.motostyleclub.com/blog/images/**********?v49=%number%&tq=%character string%
   • http://newworlddisordervideo.com/blog/images/**********?v24=%number%&tq=%character string%
   • http://onlinebizdirectory.com/images/**********?v24=%number%&tq=%character string%

It creates the following Mutexes:
   • {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
   • {C66E79CE-8935-4ed9-A6B1-4983619CB925}
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Описание добавил Petre Galan в(о) четверг, 30 июня 2011 г.
Описание обновил Petre Galan в(о) четверг, 30 июня 2011 г.

Назад . . . .