需要修復電腦?
聘請專家
Virus:Worm/Kolab.xaq.1
Date discovered:29/03/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:65.544 Bytes
MD5 checksum:bf35c5e7fca040e42f8ad5bd4eaabd78
VDF version:7.11.05.106 - Tuesday, March 29, 2011
IVDF version:7.11.05.106 - Tuesday, March 29, 2011

 General Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.cewu
   •  F-Secure: Worm.Win32.AutoRun.cewu
   •  Bitdefender: Trojan.Generic.KD.170515
     GData: Trojan.Generic.KD.170515
     DrWeb: Win32.HLLW.Podol.1


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %TEMPDIR%\srv%random character string%.tmp

 Registry The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\CurrentControlSet\Services\
   srv%random character string%]
   • "DisplayName"="srv%random character string%"
   • "ErrorControl"=dword:0x00000001
   • "ImagePath"="%systemroot%\system32\svchost.exe -k netsvcs"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:0x00000002
   • "Type"=dword:0x00000020



The following registry keys are added:

[HKLM\SYSTEM\CurrentControlSet\Services\
   srv%random character string%\parameters]
   • "servicedll"="\\?\globalroot\Device\HarddiskVolume1\%TEMPDIR%\srv%random character string%.tmp"

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
   srv%random character string%]
   • "@"="service"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
   New value:
   • "netsvcs"=hex:36,74,6F,34,00,41,70,70,4D,67,6D,74,00,41,75,64,69,6F,53,72,76,00,42,72,6F,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4D,53,65,72,76,65,72,00,44,48,43,50,00,45,76,65,6E,74,53,79,73,74,65,6D,00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6E,67,43,6F,6D,70,61,74,69,62,69,6C,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,49,72,6D,6F,6E,00,4C,61,6E,6D,61,6E,53,65,72,76,65,72,00,4C,61,6E,6D,61,6E,57,6F,72,6B,73,74,61,74,69,6F,6E,00,4E,65,74,6D,61,6E,00,4E,6C,61,00,4E,57,43,57,6F,72,6B,73,74,61,74,69,6F,6E,00,4E,77,73,61,70,61,67,65,6E,74,00,52,61,73,61,75,74,6F,00,52,61,73,6D,61,6E,00,52,65,6D,6F,74,65,61,63,63,65,73,73,00,53,63,68,65,64,75,6C,65,00,53,65,63,6C,6F,67,6F,6E,00,53,45,4E,53,00,53,68,61,72,65,64,61,63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,68,65,6D,65,73,00,54,72,6B,57,6B,73,00,57,33,32,54,69,6D,65,00,57,5A,43,53,56,43,00,57,6D,69,00,57,6D,64,6D,50,6D,53,70,00,77,69,6E,6D,67,6D,74,00,78,6D,6C,70,72,6F,76,00,6E,61,70,61,67,65,6E,74,00,68,6B,6D,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6C,6C,48,57,44,65,74,65,63,74,69,6F,6E,00,00

 Miscellaneous Accesses internet resources:
   • http://94.75.193.21/service/**********?affid=%number%
   • http://82.192.88.10//**********
   • http://82.192.88.10//**********
   • http://94.75.193.21/service/scripts/files/**********

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Petre Galan 開啟 2011年6月27日星期一
說明更新者 Petre Galan 開啟 2011年6月27日星期一

返回 . . . .
https:// 為了你的安全,此視窗已加密。