需要修復電腦?
聘請專家
Virus:TR/Spy.ZBot.idk
Date discovered:18/12/2008
Type:Trojan
Subtype:Spy
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
IVDF version:7.01.00.251 - Thursday, December 18, 2008

 General Methods of propagation:
   • Email


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.Zbot.idk
   •  F-Secure: Trojan-Spy:W32/Zbot.AAR
   •  Sophos: Mal/EncPk-CZ
   •  Eset: Win32/Spy.Zbot.CU trojan


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\twext.exe




It tries to download a file:

– The location is the following:
   • http://sosfichier.com/**********er.exe
It is saved on the local hard drive under: %TEMPDIR%\4.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

 Registry The following registry key is changed:

– [HKLM\software\microsoft\windows nt\currentversion\winlogon]
   Old value:
   • "userinit"="%SYSDIR%\userinit.exe,"
   New value:
   • "userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\twext.exe,"

 Backdoor The following port is opened:

– svchost.exe on a random TCP port


Contact server:
The following:
   • http://elenahysd.ru/**********/conf.bin

As a result it may send information and remote control could be provided.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Thomas Wegele 開啟 2008年12月18日星期四
說明更新者 Thomas Wegele 開啟 2008年12月18日星期四

返回 . . . .

© 2013 Avira Operations GmbH & Co. KG. 保留所有權利.

我的帳戶

https:// 為了你的安全,此視窗已加密。