Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:TR/Fake.Rean.305
发现日期:13/12/2012
类型:特洛伊木马
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:低程度
破坏 / 损害程度:低程度至中程度
静态文件:
文件大小:339.968 字节
MD5 校检和:94F526B3A5D142417B23DAA9BED86CBC
VDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe
IVDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe

 况概描述 传播方法:
   • 无内置传播例程


别名:
   •  TrendMicro: TROJ_FAKEAV.SMIN
   •  Sophos: Mal/FakeAV-JR
   •  Microsoft: Rogue:Win32/FakeRean


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


副作用:
   • 阻止对安全网站的访问
   • 植入文件
   • 降低系统安全设置
   • 注册表修改


执行完毕之后会显示以下信息:




 文件 它将本身复制到以下位置:
   • %HOME%\Local Settings\Application Data\%随机字符串%.exe



它会删除其本身最初执行的副本。



创建以下文件:

– %TEMPDIR%\7370jh63o4m2k83g6lx7uq5358viy257
– %ALLUSERSPROFILE%\Application Data\7370jh63o4m2k83g6lx7uq5358viy257
– %HOME%\Local Settings\Application Data\7370jh63o4m2k83g6lx7uq5358viy257
– %TEMPDIR%\7370jh63o4m2k83g6lx7uq5358viy257
– %HOME%\Templates\7370jh63o4m2k83g6lx7uq5358viy257

 注册表 会添加以下注册表项目注册值:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DoNotAllowExceptions"=dword:00000000
   • "EnableFirewall"=dword:00000000
   • "DisableNotifications"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile]
   • "EnableFirewall"=dword:00000000
   • "DoNotAllowExceptions"=dword:00000000
   • "DisableNotifications"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="%SYSDIR%\ctfmon.exe"

– [HKCR\.exe\shell\open\command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKCR\exefile\shell\open\command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKCR\exefile\shell\runas\command]
   • "(Default)"="\"%1\" %*"
   • "IsolatedCommand"="\"%1\" %*"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
   command]
   • "(Default)"="\"%HOME%\Local Settings\Application Data\\%随机字符串%.exe\" -a \"%PROGRAM FILES%\Intern"



会更改以下注册表项:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   新值:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "FirewallOverride"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001

 注入进程 – 它会将其本身作为远程线程注入到进程中。

    进程名:
   • iexplore.exe


 其他 访问 Internet 资源:
   • **********yziriryvi.com/1003004112;
      **********ipemura.com/1003004112;
      **********awekugygil.com/1003004112;
      **********ifyzadiby.com/1003004112;
      **********ijinymut.com/1003004112;
      **********uwemixonav.com/1003004112;
      **********exynogemi.com/1003004112;
      **********elaticik.com/1003004112;
      **********inolecowary.com/1003004112;
      **********ofociv.com/1003004112;
      **********ucerybaqecy.com/1003004112;
      **********upowibi.com/1003004112;
      **********ujykolenuja.com/1003004112;
      **********exyhun.com/1003004112;
      **********oralipijago.com/1003004112;
      **********ykacagatet.com/1003004112;
      **********ulipum.com/1003004112;
      **********isesyf.com/1003004112;
      **********ityvik.com/1003004112;
      **********ejutyhyfu.com/1003004112;
      **********usaseda.com/1003004112;
      **********ehiqino.com/1003004112;
      **********idicawisos.com/1003004112;
      **********ibipaj.com/1003004112;
      **********ixydyf.com/1003004112;
      **********unemymyko.com/1003004112;
      **********upinycom.com/1003004112;
      **********ygizeq.com/1003004112;
      **********emolezala.com/1003004112;
      **********ecolun.com/1003004112

Açıklamayı yerleştiren Andrei Ilie tarihinde 16 Ağustos 2011 Salı
Açıklamayı güncelleyen: Andrei Ilie tarihinde 16 Ağustos 2011 Salı

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.