Нужен совет? Обратитесь за помощью к сообществу или специалистам.
Перейти к Avira Answers
Virus:ADSPY/Deltabho.A
Date discovered:10/04/2013
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.71.182 - Wednesday, April 10, 2013
IVDF version:7.11.71.182 - Wednesday, April 10, 2013

 General Method of propagation:
   • No own spreading routine


Alias:
     AVG: Win32/Validace_partial.nsis1


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification

 Files  It deletes the following files:
   • %temp%p\nsq3.tmp
   • %temp%\nsf4.tmp
   • %temp%\nsf4.tmp\UserInfo.dll
   • %temp%\nsf4.tmp\System.dll
   • %temp%\nsf4.tmp\nsisos.dll
   • %temp%\nsf4.tmp\mt.dll
   • %temp%\nsf4.tmp\Time.dll



The following files are created:

Non malicious files:
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\deltaEng.dll
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\bh\delta.dll
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\deltaApp.dll
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\escortShld.dll
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\deltaTlbr.dll
   • %temp%\nsf4.tmp\md5dll.dll
   • %PROGRAM FILES%\Delta\delta\1.8.16.16\uninstall.exe

%PROGRAM FILES%\Delta\delta\1.8.16.16\deltasrv.exe Furthermore it gets executed after it was fully created.

 Registry The following registry keys are added in order to load the services after reboot:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
   • "{82E1477C-B154-48D3-9891-33D83C26BCD3}"="Delta Toolbar"

[HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\C:\DOCUME~1\KARZEM~1\LOCALS~1\Temp\nsf4.tmp\Time.dll;"



The following registry keys are added:

[HKCR\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}\ProgID]
   • @="delta.deltadskBnd.1"

[HKCR\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}\
   VersionIndependentProgID]
   • @="delta.deltadskBnd"

[HKCR\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}\InprocServer32]
   • @="C:\Program Files\\Delta\\delta\\1.8.16.16\\deltaTlbr.dll"
   • "ThreadingModel"="apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\
   ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}]
   • "Policy"=dword:00000003
   • "AppName"="deltasrv.exe"
   • "AppPath"="C:\Program Files\\Delta\\delta\\1.8.16.16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}]
   • @="delta Helper Object"
   • "NoExplorer"=dword:00000001

[HKCR\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}\InprocServer32]
   • @="C:\Program Files\\Delta\\delta\\1.8.16.16\\bh\\delta.dll"
   • "ThreadingModel"="apartment"

[HKLM\SOFTWARE\Delta\delta\Instl]
   • "InstallDir"="C:\Program Files\\Delta\\delta\\1.8.16.16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\delta]
   • "DisplayName"="Delta toolbar "
   • "UninstallString"="\"C:\Program Files\\Delta\\delta\\1.8.16.16\\uninstall.exe\""
   • "DisplayIcon"="\"C:\Program Files\\Delta\\delta\\1.8.16.16\\deltasrv.exe\""
   • "DisplayVersion"="1.8.16.16"
   • "Comments"="Delta toolbar "
   • "Publisher"="Delta"
   • "NoModify"=dword:00000001
   • "NoRepair"=dword:00000001
   • "EstimatedSize"=dword:000009c4

[HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0]
   • @="escortApp 1.0 Type Library"

[HKCR\delta.deltaappCore]
   • @="appCore Object"

[HKCR\Interface\{1231839B-064E-4788-B865-465A1B5266FD}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1231839B-064E-4788-B865-465A1B5266FD}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • crl.como**********.com
   • crl.user**********.com


Event handler:
It creates the following Event handlers:
   • CopyFile
   • GetWindowsDirectory
   • CreateProcess
   • GetSystemDirectory
   • CreateFile
   • FindNextFile
   • FindFirstFile

Описание добавил Wensin Lee в(о) пятница, 12 апреля 2013 г.
Описание обновил Wensin Lee в(о) пятница, 12 апреля 2013 г.

Назад . . . .
https:// Это окно зашифровано для вашей безопасности.