需要修复电脑?
聘请专家
Virus:TR/Rogue.kdv.640189
Date discovered:03/07/2012
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:94.720 Bytes
MD5 checksum:C142F7941922369C46E948FF508F67CE
VDF version:7.11.34.246 - Tuesday, July 3, 2012
IVDF version:7.11.34.246 - Tuesday, July 3, 2012

 General Method of propagation:
    Autorun feature


Alias:
   •  Mcafee: PWS-Spyeye
   •  Kaspersky: Worm.Win32.Cridex.dc
     Microsoft: Worm:Win32/Cridex.B
   •  Grisoft: SHeur4.AHBZ
   •  Eset: Win32/AutoRun.Spy.Banker.M worm
     DrWeb: Trojan.DownLoader6.13798


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Third party control
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\KB00027502.exe

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\POS1.tmp Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "KB00027502.exe"="%APPDATA%\KB00027502.exe"



The following registry keys are added:

[HKCU\Software\Microsoft\Windows Media Center\C36E1C63]
[HKCU\Software\Microsoft\Windows Media Center\2FB0C48D]
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   • "GlobalUserOffline"=dword:00000000

 Backdoor Contact server:
One of the following:
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru
   • micros**********.ru

As a result it may send information and remote control could be provided.

 Injection It injects itself as a remote thread into a process.

    Process name:
   • %WINDIR%\Explorer.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

说明添加者: Daniel Mocanu 打开 2012年8月8日星期三
说明更新者: Daniel Mocanu 打开 2012年8月8日星期三

反馈 . . . .
https:// 为了你的安全,此窗口已加密。