需要修复电脑?
聘请专家
Virus:TR/Kazy.19967.93
Date discovered:27/04/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:165.376 Bytes
MD5 checksum:08120d644f58ca9c67f915479cc28209
VDF version:7.11.07.60 - Wednesday, April 27, 2011
IVDF version:7.11.07.60 - Wednesday, April 27, 2011

 General Aliases:
   •  Kaspersky: Backdoor.Win32.Gbot.ebg
   •  F-Secure: Trojan.Downloader.JOIC
   •  Bitdefender: Trojan.Downloader.JOIC
   •  GData: Trojan.Downloader.JOIC
   •  DrWeb: Trojan.DownLoader2.39361


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability
      •  CVE-2007-1204
      •  MS07-019

 Files It copies itself to the following location:
   • %HOME%\Application Data\Microsoft\conhost.exe



The following file is created:

– %HOME%\Application Data\01E2.543

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "conhost"="%HOME%\Application Data\Microsoft\conhost.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "EnableFirewall"=dword:0x00000000

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com
Accesses internet resources:
   • http://onlinedatingsecretfriends.com/images/**********?v93=%number%&tq=%character string%
   • http://zonedg.com/**********?tq=%character string%
   • http://wapmobilesoftonline.com/blog/images/**********?v91=%number%&tq=%character string%
   • http://videosamplestore.com/blog/images/**********?v46=%number%&tq=%character string%
   • http://xprstats.com/images/**********?tq=%character string%
   • http://122343234.motostyleclub.com/blog/images/**********?v49=%number%&tq=%character string%
   • http://newworlddisordervideo.com/blog/images/**********?v24=%number%&tq=%character string%
   • http://onlinebizdirectory.com/images/**********?v24=%number%&tq=%character string%


Mutex:
It creates the following Mutexes:
   • {B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
   • {A5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B5B35993-9674-43cd-8AC7-5BC5013E617B}
   • {B37C48AF-B05C-4520-8B38-2FE181D5DC78}
   • {C66E79CE-8935-4ed9-A6B1-4983619CB925}
   • {61B98B86-5F44-42b3-BCA1-33904B067B81}

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

说明添加者: Petre Galan 打开 2011年6月30日星期四
说明更新者: Petre Galan 打开 2011年6月30日星期四

反馈 . . . .
https:// 为了你的安全,此窗口已加密。