Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:TR/Reveton.A.432
发现日期:13/12/2012
类型:特洛伊木马
广泛传播:
病毒传播个案呈报:低程度至中程度
感染/传播能力:低程度
破坏 / 损害程度:低程度
文件大小:213.016 字节
MD5 校检和:f91cc13a0D484e3b9ce1d244edb52035
VDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe
IVDF 版本:7.11.53.216 - 13 Aralık 2012 Perşembe

 况概描述 传播方法:
   • 无内置传播例程


别名:
   •  Mcafee: Generic.evx!bu
   •  Kaspersky: HEUR:Trojan.Win32.Generic
   •  Bitdefender: Trojan.Reveton.E
   •  Microsoft: Trojan:Win32/Reveton.A
   •  Grisoft: Generic27.ATPP
   •  Eset: a variant of Win32/Kryptik.ACQF trojan
   •  GData: Trojan.Reveton.E
   •  DrWeb: Trojan.Siggen3.52657


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


副作用:
   • 被用于修改系统设置,允许或扩大潜在的恶意行为。
   • 下载文件
   • 记录按键
   • 注册表修改

 文件 创建以下文件:

– 非恶意文件:
   • %HOMEPATH%\Start Menu\Programs\Startup\sample.exe.lnk

 注册表 会添加以下注册表项,以便在系统重新引导之后加载服务:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   • "2500"=dword:00000003

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "NoProtectedModeBanner"=dword:00000001



会添加以下注册表项目注册值:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableTaskMgr"=dword:00000001



会更改以下注册表项:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0]
   旧值:
   • "1609"=dword:00000001
   新值:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1]
   旧值:
   • "1609"=dword:00000001
   新值:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2]
   旧值:
   • "1609"=dword:00000001
   新值:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3]
   旧值:
   • "1609"=dword:00000001
   新值:
   • "1609"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4]
   旧值:
   • "1609"=dword:00000001
   新值:
   • "1609"=dword:00000000

 其他 互联网连接:
为了检查互联网连接,会访问以下 DNS 服务器:
   • http://91.217.**********.**********/**********.rar


事件处理程序 (Event Handler):
它会创建事件处理程序:
   • StartMenuForceRefresh
   • ImageList_ReplaceIcon
   • WaitForSingleObject
   • DisableShowAtLogon
   • StartupHasBeenRun
   • GetAsyncKeyState
   • TrackMouseEvent
   • TaskbarCreated

Açıklamayı yerleştiren Wensin Lee tarihinde 16 Mart 2012 Cuma
Açıklamayı güncelleyen: Wensin Lee tarihinde 19 Mart 2012 Pazartesi

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.