需要修复电脑?
聘请专家
Virus:Worm/Autorun.bgjc
Date discovered:03/05/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:5507d7602b6afb61dbd8787e9a16e80c
IVDF version:7.10.07.21 - Monday, May 3, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Sophos: Mal/VBInject-T
   •  Panda: W32/IRCbot.CXC
   •  Eset: Win32/Boberog.AQ
   •  Bitdefender: Trojan.Generic.KD.8011


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %TEMPDIR%\lssas.exe
   • %drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\365345.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\TRASH\DFG-2352-66235-2352322-634621321-6662355\Desktop.ini



It tries to executes the following files:

Filename:
   • netsh firewall add allowedprogram %TEMPDIR%\lssas.exe WindowsSafety ENABLE


Filename:
   • taskkill /IM winlog.exe


Filename:
   • taskkill /IM svchost.exe


Filename:
   • taskkill /IM csrss.exe


Filename:
   • taskkill /IM lsass.exe


Filename:
   • "%TEMPDIR%\lssas.exe"

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Google Updater"="%TEMPDIR%\lssas.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "MicrosoftCorp"="%TEMPDIR%\lssas.exe"



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%TEMPDIR%\lssas.exe"="%TEMPDIR%\lssas.exe:*:Enabled:Windows Defense"

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: stores.del**********.net
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

Server: bb.ceg**********.org
Port: 1234
Channel: #b#
Nickname: {NEW}[USA][XP-SP2]%number%

 File details Programming language:
The malware program was written in Visual Basic.

说明添加者: Petre Galan 打开 2010年6月24日星期四
说明更新者: Petre Galan 打开 2010年6月24日星期四

反馈 . . . .
https:// 为了你的安全,此窗口已加密。