需要修復電腦?
聘請專家
Virus:TR/ZZDimy.13
Date discovered:15/05/2009
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:feb9fcb58b7537c47a0Cfc1c00702b50
IVDF version:7.01.03.215 - Friday, May 15, 2009

 General Aliases:
   •  Symantec: Backdoor.Paproxy
   •  Mcafee: Generic Proxy!a trojan !!!
   •  Kaspersky: Trojan.Win32.Agent2.jyy
   •  Panda: W32/Koobface.AD.worm
   •  Eset: a variant of Win32/Tinxy.AD trojan


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SYS32DLL.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • C:\SYS32DLL.bat



The following file is created:

C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

The location is the following:
   • http://85.13**********/v50/?v=63&s=I&uid=0&p=6004&q=
Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
   • "7171:TCP"="7171:TCP:*:Enabled:SYS32DLL"
   • "80:TCP"="80:TCP:*:Enabled:SYS32DLL"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyServer"="http=localhost:7171"
   • "ProxyOverride"="*.local;"
   • "ProxyEnable"=dword:00000001

 Backdoor The following port is opened:

%SYSDIR%\SYS32DLL.exe on TCP port 7171 in order to provide an HTTP server.


Contact server:
One of the following:
   • yy-d**********.com
   • zz-d**********.com


 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

說明撰寫者 Petre Galan 開啟 2009年10月6日星期二
說明更新者 Andrei Ivanes 開啟 2009年10月7日星期三

返回 . . . .
https:// 為了你的安全,此視窗已加密。