需要修復電腦?
聘請專家
Virus:TR/PSW.Magania.bgme
Date discovered:17/06/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:104.476 Bytes
MD5 checksum:6F7D0987DF91CCD605DD2A5DDD8E2987
IVDF version:7.01.04.101 - Wednesday, June 17, 2009

 General Method of propagation:
    Autorun feature


Aliases:
   •  Symantec: W32.Gammima.AG
   •  Kaspersky: Worm.Win32.AutoRun.gbp
   •  TrendMicro: WORM_AUTORUN.DUY
   •  F-Secure: Trojan.PWS.OnLineGames.KCMZ
   •  Bitdefender: Trojan.PWS.OnLineGames.KCMZ
     Microsoft: Worm:Win32/Taterf.B
     AVG: Worm/AutoRun.GL
     PCTools: Worm.AutoRun.gbp
   •  VirusBuster: Worm.Taterf.ACC
   •  Eset: Win32/PSW.OnLineGames.NNU
     Sunbelt: Worm.Win32.AutoRun.gbp
     GData: Trojan.PWS.OnLineGames.KCMZ
     Authentium: W32/Onlinegames.BYF
     DrWeb: Trojan.MulDrop.31605
     Rising: Trojan.PSW.Win32.GameOnline.eri


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Downloads a file
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\olhrwef.exe
   • %drive%\fsaht.cmd



It deletes the initially executed copy of itself.



It deletes the following files:
   • C:\fsaht.cmd
   • %TEMPDIR%\am1.rar



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\nmdfgds0.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.



It tries to download a file:

The location is the following:
   • http://ngjk34.net/mg/****
It is saved on the local hard drive under: %TEMPDIR%\am1.rar

 Registry The following registry key is added:

[HKLM\SYSTEM\CurrentControlSet\Services\AVPsys]
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\drivers\cdaudio.sys
   • "DisplayName"="AVPsys"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

說明撰寫者 Irina Diaconescu 開啟 2010年11月2日星期二
說明更新者 Irina Diaconescu 開啟 2010年11月8日星期一

返回 . . . .
https:// 為了你的安全,此視窗已加密。