Avira Virenlabor

‹ zurück

TR/Rogue.585728.186

Zusammenfassung
  • Name
    TR/Rogue.585728.186
  • Entdeckt am
    01.10.2015
  • VDF Version
    7.11.240.140 (2015-06-13 14:27)
Vollständige Beschreibung

Bei der Bezeichnung 'TR' handelt es sich um ein Trojanisches Pferd, dass in der Lage ist, ihre Daten auszuspähen, Ihre Privatsphäre zu verletzen und nicht erwünschte Änderungen am System vornehmen kann.

  • VDF
    7.11.240.140 (2015-06-13 14:27)
  • Alias
    Avast: Win32:Crypt-MTV
    ClamAV: W32.Mabezat-1
    Microsoft: Virus:Win32/Mabezat.gen
    G Data: Trojan.Generic.14703399
    Bitdefender: Trojan.Generic.14703399
  • Dateien
    Die folgenden Dateien werden geändert:
    • %SYSDIR%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
    • %SYSDIR%\CatRoot2\edb.chk
    • %SYSDIR%\wbem\Logs\wmiprov.log
    • %WINDIR%\SoftwareDistribution\DataStore\DataStore.edb
    • %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk
    • %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log
    Die folgenden Dateien werden gelöscht:
    • %WINDIR%\SoftwareDistribution\DataStore\Logs\tmp.edb
  • Einschleusungen
    • %SYSDIR%\cmd.exe
    • %SYSDIR%\ipconfig.exe
    • %DISKDRIVE%\hips\loader.exe
    • %FILE_PATH%
    • {<-%SYSDIR%\DINPUT8.dll}
    • \SystemRoot\System32\smss.exe{<-%SYSDIR%\DINPUT8.dll}
    • \??\%SYSDIR%\csrss.exe{<-%SYSDIR%\DINPUT8.dll}
    • \??\%SYSDIR%\winlogon.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\services.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\lsass.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\VMware\VMware Tools\vmacthlp.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\svchost.exe{<-%SYSDIR%\DINPUT8.dll}
    • %WINDIR%\System32\svchost.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\spoolsv.exe{<-%SYSDIR%\DINPUT8.dll}
    • %WINDIR%\Explorer.EXE{<-%SYSDIR%\DINPUT8.dll}
    • %WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\FileZilla Server\FileZilla Server.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\Java\jre6\bin\jqs.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\VMware\VMware Tools\vmtoolsd.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\wuauclt.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\wbem\wmiprvse.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\VMware\VMware Tools\VMwareTray.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\Adobe\Reader 9.0\Reader\Reader_sl.exe{<-%SYSDIR%\DINPUT8.dll}
    • %PROGRAM FILES%\WinPcap\rpcapd.exe{<-%SYSDIR%\DINPUT8.dll}
    • %WINDIR%\System32\alg.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\wscntfy.exe{<-%SYSDIR%\DINPUT8.dll}
    • \\?\%SYSDIR%\WBEM\WMIADAP.EXE{<-%SYSDIR%\DINPUT8.dll}
    • %DISKDRIVE%\hips\vhsnz.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\cmd.exe{<-%SYSDIR%\DINPUT8.dll}
    • %SYSDIR%\ipconfig.exe{<-%SYSDIR%\DINPUT8.dll}
    • %DISKDRIVE%\hips\loader.exe{<-%SYSDIR%\DINPUT8.dll}
  • Registry
    Folgende Registryeinträge werden hinzugefügt:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication ("Name": "sample.exe")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithProgids ("AIFFFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithProgids ("AIFFFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithProgids ("AIFFFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\OpenWithProgids ("ASFFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithProgids ("ASXFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithProgids ("AUFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithProgids ("avifile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids ("Paint.Picture": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.css\OpenWithProgids ("CSSfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids ("Paint.Picture": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\OpenWithProgids ("WordPad.Document.1": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvr-ms\OpenWithProgids ("WMP.DVR-MSFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\OpenWithProgids ("emffile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithProgids ("giffile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids ("FirefoxHTML": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids ("FirefoxHTML": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithProgids ("icofile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ivf\OpenWithProgids ("IVFfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithProgids ("pjpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithProgids ("jpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithProgids ("jpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids ("jpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithProgids ("m3ufile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithProgids ("midfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\OpenWithProgids ("midfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithProgids ("mp3file": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithProgids ("mpegfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids ("pngfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithProgids ("midfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids ("rtffile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids ("FirefoxHTML": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithProgids ("AUFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithProgids ("TIFImage.Document": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithProgids ("TIFImage.Document": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids ("txtfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids ("soundrec": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\OpenWithProgids ("WAXFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\OpenWithProgids ("wdpfile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithProgids ("ASFFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithProgids ("WMAFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\OpenWithProgids ("wmffile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithProgids ("WMVFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\OpenWithProgids ("ASXFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithProgids ("WPLFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wri\OpenWithProgids ("wrifile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithProgids ("WVXFile": %hex values%)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids ("CompressedFolder": %hex values%)