需要修復電腦?
聘請專家
Virus:Worm/Palevo.vyc.1
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:229.376 Bytes
MD5 checksum:84feca365803e4179493966f87d19b78

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Panda: W32/P2Pworm.GF
   •  Eset: Win32/AutoRun.IRCBot.DZ
   •  Bitdefender: Worm.Generic.231495


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %SYSDIR%\wmsrvc.exe
   • %drive%\winsv.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



It deletes the initially executed copy of itself.



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

– The location is the following:
   • http://topic.lma**********.us/




It tries to executes the following files:

– Filename:
   • ipconfig /flushdns


– Filename:
   • sc delete acssrv


– Filename:
   • net stop SAVService


– Filename:
   • sc stop SAVService


– Filename:
   • sc config SavService start= disabled


– Filename:
   • net1 stop SAVService


– Filename:
   • sc delete SAVService


– Filename:
   • net stop SAVAdminService


– Filename:
   • sc stop SAVAdminService


– Filename:
   • net1 stop SAVAdminService


– Filename:
   • sc config SAVAdminService start= disabled


– Filename:
   • sc delete K7TSMngr


– Filename:
   • sc delete SAVAdminService


– Filename:
   • net stop "Sophos AutoUpdate Service"


– Filename:
   • sc stop "Sophos AutoUpdate Service"


– Filename:
   • sc config "Sophos AutoUpdate Service" start= disabled


– Filename:
   • net1 stop "Sophos AutoUpdate Service"


– Filename:
   • sc delete "Sophos AutoUpdate Service"


– Filename:
   • net stop "Sophos Client Firewall"


– Filename:
   • sc stop "Sophos Client Firewall"


– Filename:
   • sc config "Sophos Client Firewall" start= disabled


– Filename:
   • net1 stop "Sophos Client Firewall"


– Filename:
   • net stop "avast! Antivirus"


– Filename:
   • sc delete "Sophos Client Firewall"


– Filename:
   • net stop "Sophos Client Firewall Manager"


– Filename:
   • sc stop "Sophos Client Firewall Manager"


– Filename:
   • sc config "Sophos Client Firewall Manager" start= disabled


– Filename:
   • net1 stop "Sophos Client Firewall Manager"


– Filename:
   • sc delete "Sophos Client Firewall Manager"


– Filename:
   • sc stop "avast! Antivirus"


– Filename:
   • net1 stop "avast! Antivirus"


– Filename:
   • sc config "avast! Antivirus" start= disabled


– Filename:
   • sc delete "avast! Antivirus"


– Filename:
   • net stop AntiVirService


– Filename:
   • sc stop AntiVirService


– Filename:
   • sc config AntiVirService start= disabled


– Filename:
   • net1 stop AntiVirService


– Filename:
   • net stop K7RTScan


– Filename:
   • sc delete AntiVirService


– Filename:
   • net stop PASRV


– Filename:
   • sc stop PASRV


– Filename:
   • net1 stop PASRV


– Filename:
   • sc config PASRV start= disabled


– Filename:
   • sc delete PASRV


– Filename:
   • net stop VSSERV


– Filename:
   • sc stop VSSERV


– Filename:
   • sc config VSSERV start= disabled


– Filename:
   • net1 stop VSSERV


– Filename:
   • sc stop K7RTScan


– Filename:
   • sc delete VSSERV


– Filename:
   • net stop avg8wd


– Filename:
   • sc stop avg8wd


– Filename:
   • sc config avg8wd start= disabled


– Filename:
   • net1 stop avg8wd


– Filename:
   • sc delete avg8wd


– Filename:
   • net stop avg9wd


– Filename:
   • sc stop avg9wd


– Filename:
   • sc config avg9wd start= disabled


– Filename:
   • net1 stop avg9wd


– Filename:
   • sc config K7RTScan start= disabled


– Filename:
   • sc delete avg9wd


– Filename:
   • net stop NOD32krn


– Filename:
   • sc stop NOD32krn


– Filename:
   • net1 stop NOD32krn


– Filename:
   • sc config NOD32krn start= disabled


– Filename:
   • sc delete NOD32krn


– Filename:
   • net stop ekrn


– Filename:
   • sc stop ekrn


– Filename:
   • sc config ekrn start= disabled


– Filename:
   • net1 stop ekrn


– Filename:
   • sc delete K7RTScan


– Filename:
   • net stop McShield


– Filename:
   • sc delete ekrn


– Filename:
   • net1 stop McShield


– Filename:
   • sc stop McShield


– Filename:
   • sc config McShield start= disabled


– Filename:
   • sc delete McShield


– Filename:
   • net stop OutpostFirewall


– Filename:
   • sc stop OutpostFirewall


– Filename:
   • net1 stop OutpostFirewall


– Filename:
   • sc config OutpostFirewall start= disabled


– Filename:
   • net1 stop K7RTScan


– Filename:
   • sc delete OutpostFirewall


– Filename:
   • net stop TmPfw


– Filename:
   • sc stop TmPfw


– Filename:
   • net1 stop TmPfw


– Filename:
   • sc config TmPfw start= disabled


– Filename:
   • sc delete TmPfw


– Filename:
   • net stop KPF4


– Filename:
   • sc stop KPF4


– Filename:
   • net1 stop KPF4


– Filename:
   • sc config KPF4 start= disabled


– Filename:
   • net stop K7TSMngr


– Filename:
   • sc delete KPF4


– Filename:
   • net stop SmcService


– Filename:
   • sc stop SmcService


– Filename:
   • sc config SmcService start= disabled


– Filename:
   • net1 stop SmcService


– Filename:
   • sc delete SmcService


– Filename:
   • net stop cmdAgent


– Filename:
   • sc stop cmdAgent


– Filename:
   • sc config cmdAgent start= disabled


– Filename:
   • net1 stop cmdAgent


– Filename:
   • sc stop K7TSMngr


– Filename:
   • sc delete cmdAgent


– Filename:
   • net stop vsmon


– Filename:
   • sc stop vsmon


– Filename:
   • sc config vsmon start= disabled


– Filename:
   • net1 stop vsmon


– Filename:
   • sc delete vsmon


– Filename:
   • net stop SbPF.Launcher


– Filename:
   • sc stop SbPF.Launcher


– Filename:
   • sc config SbPF.Launcher start= disabled


– Filename:
   • net1 stop SbPF.Launcher


– Filename:
   • sc config K7TSMngr start= disabled


– Filename:
   • sc delete SbPF.Launcher


– Filename:
   • net stop SPF4


– Filename:
   • sc stop SPF4


– Filename:
   • net1 stop SPF4


– Filename:
   • sc config SPF4 start= disabled


– Filename:
   • sc delete SPF4


– Filename:
   • net stop acssrv


– Filename:
   • sc stop acssrv


– Filename:
   • net1 stop acssrv


– Filename:
   • sc config acssrv start= disabled


– Filename:
   • net1 stop K7TSMngr

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ctfmon.exe"="ctfmon.exe"



The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%SYSDIR%\wmsrvc.exe"="%SYSDIR%\wmsrvc.exe:*:Enabled:DHCP Router"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Security Center]
   • "AntiVirusDisableNotify"=dword:0x00000001
   • "AntiVirusOverride"=dword:0x00000001
   • "FirewallDisableNotify"=dword:0x00000001
   • "FirewallOverride"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\MRT]
   • "DontReportInfectionInformation"=dword:0x00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\
   Layers]
   • "%SYSDIR%\wmsrvc.exe"="DisableNXShowUI"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ctfmon.exe]
   • "Debugger"="wmsrvc.exe"



The following registry keys are changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:0x00000004

– [HKLM\SECURITY\Policy\Secrets\SAC\OupdTime]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAC\CupdTime]
   New value:
   • "@"=""

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002

– [HKLM\SECURITY\Policy\Secrets\SAI\CupdTime]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAC\OldVal]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAI\OupdTime]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAI\CurrVal]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAC\CurrVal]
   New value:
   • "@"=""

– [HKLM\SECURITY\Policy\Secrets\SAI\OldVal]
   New value:
   • "@"=""

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   New value:
   • "CheckedValue"=dword:0x00000001

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: login.ipwhois.or**********.uk
Port: 47221
Channel: #NN
Nickname: N|USA|M1|0|XP|%number%

 Hosts The host file is modified as explained:

– Access to the following domains are redirected to other destinations:
   • msnfix.changelog.fr; www.incodesolutions.com; virusinfo.prevx.com;
      download.bleepingcomputer.com; www.dazhizhu.cn; foro.noticias3d.com;
      www.spybotupdates.com; club.myce.com; www.k7computing.com;
      softwaresecuritysolutions.com; www.nabble.com; lurker.clamav.net;
      lexikon.ikarus.at; research.sunbelt-software.com; www.virusdoctor.jp;
      www.elitepvpers.de; guru.avg.com; downloads.sophos.com;
      share.skype.com; myantispyware.com; www.computerhilfen.de;
      www.superuser.co.kr; ntfaq.co.kr; v.dreamwiz.com; cit.kookmin.ac.kr;
      forums.whatthetech.com; forum.hijackthis.de; avg.vo.llnwd.net;
      ftp.drweb.com; www.zonealarm.com; smadaver.com; support.emsisoft.com;
      www.huaifai.go.th; www.mostz.com; www.krupunmai.com;
      www.cddchiangmai.net; forum.malekal.com; tech.pantip.com;
      sapcupgrades.com; www.elguruinformatico.com; forums.avg.com;
      zastita.com; support.kaspersky.com; www.247fixes.com;
      forum.sysinternals.com; forum.telecharger.01net.com; sophos.com;
      foros.softonic.com; avast-home.uptodown.com;
      dr-web-cureit.softonic.com; heavenward.ru; forum.smadav.net;
      www.forum.kaspersky.com; www.f-secure.com; www.chkrootkit.org;
      diamondcs.com.au; www.rootkit.nl; www.sysinternals.com; z-oleg.com;
      espanol.dir.groups.yahoo.com; ftp01net.telechargement.fr;
      modelayu.com; vaksin.com; bbs.kaspersky.com.cn; www.castlecrops.com;
      www.misec.net; safecomputing.umn.edu; www.antirootkit.com;
      www.greatis.com; ar.answers.yahoo.com; www.elhacker.org;
      research.pandasecurity.com; www.tpu.ro; www.pinoyden.com;
      forum.avira.de; www.rootkit.com; www.pctools.com;
      www.pcsupportadvisor.com; www.resplendence.com; www.personal.psu.edu;
      foro.ethek.com; foro.elhacker.net; download.zonealarm.com;
      spywarehammer.com; www.codelain.com; www.thaicert.org; vil.nail.com;
      search.mcafee.com; wwww.mcafee.com; download.nai.com;
      wwww.experts-exchange.com; www.bakunos.com; www.darkclockers.com;
      www2.gmer.net; ariefew.com; www.emsisoft.com; forum.romeonet.ro;
      www.Merijn.org; www.spywareinfo.com; www.spybot.info;
      www.viruslist.com; www.hijackthis.de; ftp.f-secure.com;
      forum.kaspersky.com; es.trendmicro-europe.com; www.hvaonline.net;
      forum.lowyat.net; kb.eset.com; majorgeeks.com; www.avp.com;
      www.virustotal.com; www.sophos.com; linhadefensiva.uol.com.br;
      cmmings.cn; www.sergiwa.com; www.el-hacker.com; dl2.agnitum.com;
      forum.smadav.net; images.malwareremoval.com; www.avg-antivirus.net;
      www.kaspersky-labs.com; www.kaspersky.com; www.bleepingcomputer.com;
      www.free.grisoft.com; alerta-antivirus.inteco.es; greatis.com;
      www.oprekpc.com; www.gmer.net; forum.kasperskyclub.com;
      securityresponse.symantec.com; www.analysis.seclab.tuwien.ac.at;
      www.symantec.com; www.kztechs.com; ad-aware-se.uptodown.com;
      stdio-labs.blogspot.com; forum.lrytas.lt; www.decido.de;
      wap.elakiri.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantec.com; customer.symantec.com; update.symantec.com;
      www.box.net; foro.el-hacker.com; acs.pandasoftware.com;
      egavisa.blogspot.com; angui123.cn; beta.eset.com; www.mcafee.com;
      www.free.avg.com; download.mcafee.com; mast.mcafee.com;
      www.tecno-soft.com; ladooscuro.es; ftp.drweb.com;
      download.microsoft.com; www.mypcsafe.com; www.blindedbytech.com;
      kaspersky.com; guru0.grisoft.cz; guru1.grisoft.cz; guru2.grisoft.cz;
      guru3.grisoft.cz; download.bleepingcomputer.com; it.answers.yahoo.com;
      www.softonic.com; www.mycity.rs; cairopt.net;
      rootrepeal.googlepages.com; guru4.grisoft.cz; guru5.grisoft.cz;
      www.virusspy.com; download.f-secure.com; www.malwareremoval.com;
      forums.cnet.com; foros.softonic.com; www.freedrweb.com; www.kaskus.us;
      rootrepeal.psikotick.com; thaicert.nectec.or.th;
      hjt-data.trend-braintree.com; www.pantip.com; secubox.aldria.com;
      www.forospyware.com; www.manuelruvalcaba.com; www.zonavirus.com;
      www.leforo.com; www.gsmph.com; blokvesti.net; www.viprasys.org;
      forum.antivir-pe.de; www.siteadvisor.com; blog.threatfire.com;
      www.threatexpert.com; blog.hispasec.com; www.configurarequipos.com;
      sosvirus.changelog.fr; www.psicofxp.com; www.gsmph.net;
      www.gyakorikerdesek.hu; us.mcafee.com; mailcenter.rising.com.cn;
      mailcenter.rising.com; www.rising.com.cn; www.rising.com;
      www.babooforum.com.br; www.runscanner.net; www.blogschapines.com;
      www.zyzoom.org; www.avsoft.ru; www.elakiri.com; sosvirus.changelog.fr;
      upload.changelog.fr; www.raymond.cc; changelog.fr; www.pcentraide.com;
      atazita.blogspot.com; www.thinkpad.cn; www.sunbeltsoftware.com;
      cert.inteco.es; www.gamexeon.com; nod32-antivirus.en.softonic.co;
      www.final4ever.com; files.filefont.com; www.infos-du-net.com;
      www.trendsecure.com; forum.hardware.fr; www.utilidades-utiles.com;
      blogs.icerocket.com; www.spywarefri.dk; alfrasha.maktoob.com;
      www.eset.eu; www.spychecker.com; www.geekstogo.com;
      forums.maddoktor2.com; www.smokey-services.eu; www.clubic.com;
      www.linhadefensiva.org; www.rolandovera.com; forum.burek.com;
      secure.sophos.com; usa.kaspersky.com; download.sysinternals.com;
      www.pcguide.com; www.thetechguide.com; www.ozzu.com;
      www.changedetection.com; espanol.groups.yahoo.com;
      www.sunbeltsecurity.com; www.quickheal.co.in; www.vivalared.com;
      community.thaiware.com; www.avpclub.ddns.info;
      www.offensivecomputing.net; www.grisoft.com; boardreader.com;
      www.guiadohardware.net; www.webroot.com; www.thehelper.net;
      www.kaldata.com; vil.nai.com; www.msnvirusremoval.com; www.cisrt.org;
      fixmyim.com; samroeng.hi5.com; foro.elhacker.net; www.daboweb.com;
      service1.symantec.com; us3.download.comodo.com; forum.gsmhosting.com;
      www.computerforum.com; forums.techguy.org; www.incodesolutions.com;
      hijackthis.download3000.com; www.cybertechhelp.com;
      www.superdicas.com.br; www.51nb.com; us4.download.comodo.com;
      www.jbtalks.cc; ad13.geekstogo.com; downloads.andymanchesta.com;
      andymanchesta.com; info.prevx.com; aknow.prevx.com; www.zonavirus.com;
      securitywonks.net; www.yoreparo.com; www.spywarecease.com;
      forum.dobreprogramy.pl; community.mcafee.com; www.lavasoft.com;
      www.virscan.org; www.eeload.com; down.www.kingsoft.com; www.file.net;
      onecare.live.com; mvps.org; www.laneros.com; www.pc1news.com;
      forum.avira.com; downloads.novirusthanks.org;
      www.housecall.trendmicro.com; www.avast.com; www.free.avg.com;
      www.onlinescan.avast.com; www.ewido.net; www.trucoswindows.net;
      www.mozilla-hispano.org; www.jackbloodforum.com;
      www.kosandpol.elakiri.com; www.futurenow.bitdefender.com;
      www.bitdefender.com; www.f-prot.com; www.trendsecure.com;
      security.symantec.com; oldtimer.geekstogo.com;
      sopiansantosa.blogspot.com; www.fileresearchcenter.com;
      www.looktr.com; www.avira.com; www.eset.com; www.free.avg.com;
      www.free-av.com; kr.ahnlab.com; www.eset.com; forospyware.com;
      thejokerx.blogspot.com; cairopt.net; oolbar.cyberdefender.com;
      golpe.dyndns.org; www.2-spyware.com; www.antivir.es; www.prevx.com;
      www.ikarus.net; bbs.s-sos.net; www.housecall.trendmicro.com;
      www.superdicas.com.br; www.superantispyware.com; www.unhackme.com;
      www.askmehelpdesk.com; www.forums.majorgeeks.com; www.castlecops.com;
      www.virusspy.com; andymanchesta.com; www.kaspersky.es;
      subs.geekstogo.com; www.forospanish.com; blog.rnsafe.com;
      www.regrun.com; irc.snahosting.net; www.trendmicro.com;
      www.fortinet.com; www.safer-networking.org; www.fortiguardcenter.com;
      www.dougknox.com; www.vsantivirus.com; static.commentcamarche.net;
      www.gyakorikerdesek.hu; www.fixya.com; www.firewallguide.com;
      www.auditmypc.com; www.spywaredb.com; www.mxttchina.com;
      www.ziggamza.net; www.forospyware.es; pogonyuto.forospanish.com;
      spywarefiles.prevx.com; k2r.th3kings.net; www.betterantivirus.com;
      www.antivirus.comodo.com; www.spywareterminator.com;
      www.eradicatespyware.net; www.freespywareremoval.info;
      www.personalfirewall.comodo.com; wakoopa.com; forum.drweb.com;
      bb1.th3kings.net; www.commentcamarche.net; www.clamav.net;
      www.antivirus.about.com; www.pandasecurity.com; www.webphand.com;
      mx.answers.yahoo.com; www.securitywonks.net; www.messengeradictos.com;
      www.geekpolice.net; bub.th3kings.net; www.sandboxie.com;
      www.clamwin.com; www.cwsandbox.org; www.ca.com; www.arswp.com;
      es.answers.yahoo.com; www.trucoswindows.es; www.ipaddresser.com;
      www.abgenis.net; www.freefixer.com; forums.afterdawn.com;
      www.networkworld.com; www.cddchiangmai.net; www.threatexpert.com;
      www.norman.com; espanol.answers.yahoo.com; www.tallemu.com;
      foro.portalhacker.net; www.groupwhere.org; sniff.runescapetube.com;
      virscan.org; www.viruschief.com; scanner.virus.org; www.hijackthis.de;
      housecall65.trendmicro.com; www.guiadohardware.net;
      forums.whatthetech.com; mustlovewine.com; www3.malekal.com;
      esetnod32antivirus.blogspot.com; hjt.networktechs.com;
      www.techsupportforum.com; www.whatthetech.com; www.soccersuck.com;
      www.pcentraide.com; comunidad.wilkinsonpc.com.co; forum.hocit.com;
      forum.smadav.net; fgp.e2doo.com; community.thaiware.com;
      forum.piriform.com; www.tweaksforgeeks.com; www.daniweb.com;
      www.geekstogo.com; es.answers.yahoo.com; www.techsupportforum.com;
      dnl-eu8.kaspersky-labs.com; www.oprekpc.com; shv4.ath.cx;
      www.pcworld.com; www.pchell.com; www.spyany.com; forums.techguy.org;
      www.experts-exchange.com; www.wikio.es; www.pandasecurity.com;
      forums.devshed.com; devbuilds.kaspersky-labs.com;
      hana-ahmad.blogspot.com; forum.tweaks.com; www.wilderssecurity.com;
      www.techspot.com; www.thecomputerpitstop.com; es.wasalive.com;
      secunia.com; www.killtrojan.net; www.ulop.net; www.eliters.com;
      sip4.voipkosovasite.com; es.kioskea.net; www.taringa.net;
      www.cyberdefender.com; www.feedage.com; new.taringa.net;
      forum.zazana.com; forum.clubedohardware.com.br; mks.com.pl;
      www.vietcaravan.us; trbotnet.sytes.net; www.computing.net;
      discussions.virtualdr.com; forum.securitycadets.com; www.techimo.com;
      13iii.com; www.dicasweb.com.br; www.javacoolsoftware.net;
      cofradia.org; wasteland-bg.com; www.windowexe.com;
      www.infosecpodcast.com; www.usbcleaner.cn; www.net-security.org;
      www.bleedingthreats.net; acs.pandasoftware.com; www.funkytoad.com;
      malwarebytes.org; sabithpocker.blogspot.com; comprolive.vox.com;
      www.360safe.cn; www.360safe.com; bbs.360safe.cn; bbs.360safe.com;
      codehard.wordpress.com; forum.clubedohardware.com.br; antitrick.com;
      www.configurarequipos.com; www.jiwang.org;
      anti-virus-software-review.toptenreviews.com; www.360.cn; www.360.com;
      bbs.360safe.cn; bbs.360safe.com; www.forospyware.es;
      p3dev.taringa.net; www.precisesecurity.com; dlpe.antivir.com;
      www.jvme.com; share.skype.com; comprolive.com; gotoknow.org;
      baike.360.cn; baike.360.com; kaba.360.cn; kaba.360.com;
      deckard.geekstogo.com; www.taringa.net; forums.comodo.com;
      www.mvps.org; melcy.wordpress.com; forum.softpedia.com;
      pcvids.wordpress.com; down.360safe.cn; down.360safe.com;
      x.360safe.com; dl.360safe.com; ftp.drweb.com; www.hotshare.net;
      es.wasalive.com; free.antivirus.com; forum.hocit.com;
      destavision-forum.com; inspiresoft.blogspot.com; updatem.360safe.com;
      updatem.360safe.cn; update.360safe.cn; update.360safe.com;
      www.utilidades-utiles.com; forum.kaspersky.com;
      www.indowebster.web.id; zastita.com; www.sz-pet.com;
      foros.abcdatos.com; bbs.duba.net; www.duba.net; zhidao.baidu.com;
      hi.baidu.com; www.drweb.com.es; msncleaner.softonic.com;
      www.javacoolsoftware.com; beniono.wordpress.com; www.4-gsmteam.com;
      msntubers.freehostia.com; file.ikaka.com; file.ikaka.cn;
      bbs.ikaka.com; zhidao.ikaka.com; www.eset-la.com; download.eset.com;
      software-files.download.com; www.faravirusi.com; www.winbots.es;
      forum.chip.de; www.thailandsusu.com; www.ikaka.com; www.ikaka.cn;
      bbs.cfan.com.cn; www.cfan.com.cn; www.pandasecurity.com;
      es.mcafee.com; downloads.malwarebytes.org; www.devirusare.com;
      forum.skype.com; shitit.net; www.webimmune.net; bbs.kafan.cn;
      bbs.kafan.com; bbs.kpfans.com; bbs.taisha.org;
      www.manuelruvalcaba.com; support.f-secure.com; bbs.winzheng.com;
      devirusare.com; social.microsoft.com; www.shitit.net;
      mx.answers.yahoo.com; alerta-antivirus.inteco.es; foros.zonavirus.com;
      alerta-antivirus.red.es; www.zonavirus.com; www.malwarebytes.org;
      www.commentcamarche.net; news.support.veritas.com; www.zonealarm.com;
      www.ewido.net; www.infospyware.com; www.bitdefender.es;
      housecall.trendmicro.com; foros.toxico-pc.com; www.identi.es;
      es.kioskea.net; virusinfo.info; forums.zonealarm.com;
      foro.infiernohacker.com; www.emsisoft.de; www.securitynewsportal.com;
      irc.ekizmedia.com; zone.arminboutique.com; story.dnsentrymx.com


 Process termination List of processes that are terminated:
   • MSMPENG.EXE; MSASCUI.EXE; GUARDXKICKOFF.EXE; GUARDXSERVICE.EXE;
      VIRUSUTILITIES.EXE; VBA32-PERSONAL-LATEST-ENGLISH.EXE;
      TrendMicro_TISPro_16.1_1063_x32.EXE; WITSETUP.EXE; AVINSTALL.EXE;
      K7TS_SETUP.EXE; P08PROMO.EXE; ISSDM_EN_32.EXE; VIPRE.EXE;
      UNLOCKER.EXE; UNLOCKERASSISTANT.EXE; UNLOCKER1.8.7.EXE;
      REGUNLOCKER.EXE; COMPAQ_PROPIETARIO.EXE; ATF-CLEANER.EXE;
      SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE; VIRUS.EXE;
      HIJACK-THIS.EXE; MRT.EXE; MRTSTUB.EXE; WINDOWS-KB890930-V2.2.EXE;
      HJ.EXE; ELISTA.EXE; PENCLEAN.EXE; MBAM-SETUP.EXE; MBAM.EXE; AVZ.EXE;
      JAJA.EXE; OTMOVEIT.EXEMBAM-SETUP.EXE; REGMON.EXE; COMBO-FIX.EXE;
      COMBOFIX.BAT; COMBOFIX.SCR; COMBOFIX.COM; CMD.EXE; COMMAND.COM;
      NTVDM.EXE; GUARD.EXE; LISTO.EXE; TCPVIEW.EXE; REGEDIT.COM;
      REGEDIT.SCR; FOLDERCURE.EXE; KILLAUTOPLUS.EXE; MYPHOTOKILLER.EXE;
      REG.EXE; TASKKILL.EXE; AUTORUNS.EXE; SRENGPS.EXE; COMBOFIX.EXE;
      SDFIX.EXE; CATCHME.EXE; GMER.EXE; MBR.EXE; CF9409.EXE;
      REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE; SUPERANTISPYWARE.EXE;
      BOOTSAFE.EXE; SRESTORE.EXE; MSNCLEANER.EXE; BUSCAREG.EXE;
      KAKASETUPV6.EXE; SUPERKILLER.EXE; DUBATOOL_AV_KILLER.EXE;
      DELAYDELFILE.EXE; SEEM.EXE; BC5CA6A.EXE; ROOTALYZER.EXE;
      ROOTKITBUSTER.EXE; HELIOS.EXE; DARKSPY105.EXE; HOOKANLZ.EXE;
      PAVARK.EXE; SRENGLDR.EXE; APORTS.EXE; FPORT.EXE; PORTDETECTIVE.EXE;
      PORTMONITOR.EXE; NETSTAT.EXE; OLLYDBG.EXE; HJTINSTALL.EXE;
      HJTSETUP.EXE; HIJACKTHIS_SFX.EXE; HIJACKTHIS.EXE; HIJACKTHIS_V2.EXE;
      MSNFIX.EXE; PROCEXP.EXE; TASKMAN.EXE; TASKLIST.EXE; TASKMON.EXE;
      PSKILL.EXE; ROOTKITREVEALER.EXE; FSBL.EXE; FSB.EXE; AVGARKT.EXE;
      ROOTKIT_DETECTIVE.EXE; UNHACKME.EXE; HACKMON.EXE; RKD.EXE;
      ROOTKITNO.EXE; REANIMATOR.EXE; HOOKANLZ.EXE; ROOTREPEAL.EXE;
      ICESWORD.EXE; LORDPE.EXE; PG2.EXE; PROCDUMP.EXE; PROCESSMONITOR.EXE;
      SPYBOTSD160.EXE; TEATIMER.EXE; SPYBOTSD.EXE; WIRESHARK.EXE; APM.EXE;
      APT.EXE; ASVIEWER.EXE; CPORTS.EXE; CPROCESS.EXE; DLLCOMPARE.EXE;
      A2HIJACKFREESETUP.EXE; EULALYZERSETUP.EXE; FILEALYZ.EXE; FILEFIND.EXE;
      FIXPATH.EXE; HOSTSFILEREADER.EXE; IEFIX.EXE; AVENGER.EXE;
      INSTALLWATCHPRO25.EXE; KILLBOX.EXE; NETALYZ.EXE; OBJMONSETUP.EXE;
      PGSETUP.EXE; FIXBAGLE.EXE; CUREIT.EXE; PROCMON.EXE;
      PROJECTWHOISINSTALLER.EXE; REGALYZ.EXE; REGCOOL.EXE;
      REGISTRAR_LITE.EXE; REGSCANNER.EXE; REGSHOT.EXE; REGX2.EXE; SPF.EXE;
      SRENGLDR.EXE; STARTDRECK.EXE; SYSANALYZER_SETUP.EXE; UNIEXTRACT.EXE;
      UNLOCKER1.8.7.EXE; RAVP.EXE; MBAM.EXE; USBGUARD.EXE; AVZ.EXE; OTL.EXE;
      CPF.EXE; ZLCLIENT.EXE; 123.COM; 123.EXE


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Petre Galan 開啟 2010年6月8日星期二
說明更新者 Petre Galan 開啟 2010年6月8日星期二

返回 . . . .
https:// 為了你的安全,此視窗已加密。