需要修復電腦?
聘請專家
Virus:TR/Spy.ZBot.pcp
Date discovered:15/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:118272 Bytes
MD5 checksum:8603e529ee23ac7e1213d5b5e14c66d7
VDF version:7.10.04.13
IVDF version:7.10.09.92 - Thursday, July 15, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.Scar.cndh
   •  TrendMicro: TROJ_MEREDROP.SY
   •  F-Secure: Trojan.Win32.Scar.cndh
   •  Eset: Win32/Spy.Zbot.YW


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads a file
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\sdra64.exe



It creates the following directory:
   • %SYSDIR%\lowsec



The following files are created:

– Non malicious files:
   • %SYSDIR%\lowsec\user.ds
   • %SYSDIR%\lowsec\local.ds
   • %SYSDIR%\lowsec\user.ds.lll




It tries to download a file:

– The location is the following:
   • http://113.11.194.175/us/**********

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
   • "userinit"="%SYSDIR%\userinit.exe,,%SYSDIR%\sdra64.exe,"



The following registry keys are added:

– [HKCU\software\microsoft\windows\currentversion\explorer\
   {35106240-D2F0-DB35-716E-127EB80A0299}\
   {33373039-3132-3864-6B30-303233343434}]
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
   • "UID"="%computer name%_B4DF76112BF9218C"

– [HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
   • "UID"="%computer name%_B4DF76112BF9218C"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "ParseAutoexec"="1"



The following registry keys are changed:

Deactivate Windows Firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:00000000

Deactivate Windows Firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   New value:
   • "EnableFirewall"=dword:00000000

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • svchost.exe



– It injects itself as a remote thread into a process.

    Process name:
   • services.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Ana Maria Niculescu 開啟 2010年9月16日星期四
說明更新者 Ana Maria Niculescu 開啟 2010年9月16日星期四

返回 . . . .
https:// 為了你的安全,此視窗已加密。