需要修復電腦?
聘請專家
Virus:TR/Rogue.KD.923372
Date discovered:02/04/2013
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
File size:146944 Bytes
MD5 checksum:fc077d70131dfe1b77262abf91423479
VDF version:7.11.68.146 - Tuesday, April 2, 2013
IVDF version:7.11.68.146 - Tuesday, April 2, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Sophos: Troj/Bdoor-BEZ
   •  Bitdefender: Trojan.Generic.KD.923372
   •  Eset: a variant of Win32/Injector.AERC trojan
     DrWeb: Trojan.DownLoad.64636


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %Temp%\%10 digit random character string% .pre
   • %Temp%\%random character string%\%10 digit random character string% .exe
   • C:\run\sample.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %Temp%\%10 digit random character string% .pre
   • C:\run\sample.exe

 Registry One of the following values is added in order to run the process after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%Temp%\\%random character string%\\%random character string%.exe"



The following registry keys are added in order to load the service after reboot:

[HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%Temp%\%10 random character string%.pre;"

 Injection     All of the following processes:
   • %SYSDIR%\ctfmon.exe
   • %SYSDIR%\svchost.exe


 Miscellaneous Event handler:
It creates the following Event handlers:
   • IsProcessorFeaturePresent
   • IsDebuggerPresent
   • CreateFile

說明撰寫者 Wensin Lee 開啟 2013年4月3日星期三
說明更新者 Wensin Lee 開啟 2013年4月3日星期三

返回 . . . .
https:// 為了你的安全,此視窗已加密。