需要修復電腦?
聘請專家
Virus:TR/Spy.ZBot.alj
Date discovered:28/08/2009
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:114688 Bytes
MD5 checksum:237f86451bbfb4341d130a5de71ca9e3
VDF version:7.01.05.178
IVDF version:7.01.05.179 - Friday, August 28, 2009

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %temp%\%10 digit random character string% .pre



It deletes the initially executed copy of itself.



The following file is created:

– %temp%\%random character string%\random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%random character string%\%random character string%.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%temp%\%10 digit random character string% .pre"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • zeo**********-gt.com
   • fen**********.com

說明撰寫者 Wensin Lee 開啟 2013年3月13日星期三
說明更新者 Wensin Lee 開啟 2013年3月13日星期三

返回 . . . .
https:// 為了你的安全,此視窗已加密。