需要修復電腦?
聘請專家
Virus:TR/Matsnu.EB.114
Date discovered:24/05/2013
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:118.784 Bytes
MD5 checksum:779048509F603D4C8D0E64700F94D1BD
VDF version:7.11.79.246 - Friday, May 24, 2013
IVDF version:7.11.79.246 - Friday, May 24, 2013

 General Methods of propagation:
   • Email
   • By visiting infected websites


Aliases:
   •  Kaspersky: Trojan-Ransom.Win32.Foreign.csil
   •  Bitdefender: Trojan.GenericKD.1008662
     Microsoft: Trojan:Win32/Matsnu
     GData: Trojan.GenericKD.1008662


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
    Can be used to execute malicious code
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %HOME%\Appdata\%nine-digit random character string%\%10 digit random character string% .exe



The following file is created:

– A file that is for temporary use and it might be deleted afterwards:
   • C:\Temp\%10 digit random character string% .pre

 Registry The following registry key is added in order to run the process after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
   %eight-digit random character string% ]
   • %HOME%\Appdata\%nine-digit random character string%\%10 digit random character string% .exe



The following registry key is changed:

[HKLM\System\CurrentControlSet\Control\Session Manager\
   PendingFileRenameOperations]
   New value:
   • \??\C:\Temp\%10 digit random character string% .pre,

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • nv**********ieg.com
Accesses internet resources:
   • http://nv**********ieg.com/inbox.php?**********

說明撰寫者 Jan-Eric Herting 開啟 2013年5月26日星期日
說明更新者 Jan-Eric Herting 開啟 2013年5月26日星期日

返回 . . . .
https:// 為了你的安全,此視窗已加密。