Avira Virus Lab

TR/Agent.311296

  • Nome
    TR/Agent.311296
  • Scoperto
    06/gen/2016
  • Tipo
    Malware
  • Impatto
    Livello medio 
  • Infezioni segnalate
    Livello basso 
  • Sistema operativo
    Windows
  • Versione VDF
    6.37.00.56 (2006-12-22 05:31)

Con la denominazione 'TR' si intende un trojan che è in grado di scoprire dati personali, violare la privacy dell’utente ed effettuare modifiche indesiderate al sistema.

  • VDF
    6.37.00.56 (2006-12-22 05:31)
  • Aliases
    ClamAV: Win.Trojan.716080
    Dr. Web: Trojan.DownLoader5.3892
    F-PROT: W32/Heuristic-210!Eldorado (damaged, not disinfectable)
    Trend Micro: Cryp_Xed-12
    Microsoft: Trojan:Win32/Sisproc!gmb
    G Data: Trojan.Generic.7062070
    Kaspersky Lab: HEUR:Trojan.Win32.Generic
    Bitdefender: Trojan.Generic.7062070
    ESET: Win32/HackTool.Inject.O potentially unsafe application
  • File
    Sono stati creati i seguenti file:
    • %PROGRAM FILES%\Windows Media Player\E991 music.mp3
    • %SYSDIR%\GIFviewer.ocx
    • %SYSDIR%\GIFviewer.oca
    • %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak
    • %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.done
    Sono stati eliminati i seguenti file:
    • %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak
    • %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.done
    Sono stati modificati i seguenti file:
    • %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %SYSDIR%\wbem\Logs\wbemcore.log
    • %WINDIR%\Prefetch\WMIADAP.EXE-2DF425B2.pf
  • Registro
    Vengono aggiunte le seguenti entità di registro:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General ("UniqueID": "{D5C1C805-DB09-4907-8C8D-A13B08342786}"; "ComputerName": "TESPC0"; "VolumeSerialNumber": dword:ecded8ee)
    • HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ("ProxyStyle": dword:00000000; "ProxyName": ""; "ProxyPort": dword:000006db; "ProxyBypass": dword:00000000; "ProxyExclude": "")
    • HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ("ProxyStyle": dword:00000001; "ProxyName": ""; "ProxyPort": dword:00000050; "ProxyBypass": dword:00000000; "ProxyExclude": "")
    • HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ("ProxyStyle": dword:00000000; "ProxyName": ""; "ProxyPort": dword:0000022a; "ProxyBypass": dword:00000000; "ProxyExclude": "")
    • HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying ("InitFlags": dword:00000001)
    • HKEY_CLASSES_ROOT\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 (@: "WelchGIFviewer")
    • HKEY_CLASSES_ROOT\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS (@: "2")
    • HKEY_CLASSES_ROOT\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 (@: "%SYSDIR%\GIFviewer.ocx")
    • HKEY_CLASSES_ROOT\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR (@: "%SYSDIR%")
    • HKEY_CLASSES_ROOT\Interface\{08D24088-19F0-490A-93C8-84B68381D155} (@: "ucAniGIF")
    • HKEY_CLASSES_ROOT\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid (@: "{00020424-0000-0000-C000-000000000046}")
    • HKEY_CLASSES_ROOT\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 (@: "{00020424-0000-0000-C000-000000000046}")
    • HKEY_CLASSES_ROOT\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib (@: "{3383D1F1-029B-43B1-8733-289322EA85FA}"; "Version": "1.0")
    • HKEY_CLASSES_ROOT\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} (@: "ucAniGIF")
    • HKEY_CLASSES_ROOT\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid (@: "{00020420-0000-0000-C000-000000000046}")
    • HKEY_CLASSES_ROOT\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 (@: "{00020420-0000-0000-C000-000000000046}")
    • HKEY_CLASSES_ROOT\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib (@: "{3383D1F1-029B-43B1-8733-289322EA85FA}"; "Version": "1.0")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} (@: "WelchGIFviewer.ucAniGIF")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID (@: "WelchGIFviewer.ucAniGIF")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control (@: "")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32 (@: "%SYSDIR%\GIFviewer.ocx, 30000")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus (@: "0")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 (@: "147857")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib (@: "{3383D1F1-029B-43B1-8733-289322EA85FA}")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION (@: "1.0")
    • HKEY_CLASSES_ROOT\WelchGIFviewer.ucAniGIF (@: "WelchGIFviewer.ucAniGIF")
    • HKEY_CLASSES_ROOT\WelchGIFviewer.ucAniGIF\Clsid (@: "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}")
    • HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device ("FriendlyName": "Default MidiOut Device"; "CLSID": "{07B65360-C445-11CE-AFDE-00AA006C14F4}"; "FilterData": %hex values%; "MidiOutId": dword:ffffffff)
    • HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device ("FriendlyName": "Default DirectSound Device"; "CLSID": "{79376820-07D0-11CF-A24D-0020AFD79767}"; "FilterData": %hex values%; "DSGuid": "{00000000-0000-0000-0000-000000000000}")
    I valori delle seguenti chiavi di registro vengono rimossi:
    • HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings (Client ID: -)
    Vengono cambiate le seguenti entità di registro:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace ("LocalDelta": "%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"; "RemoteDelta": "%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML")
    • HKEY_CLASSES_ROOT\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32 (@: "%SYSDIR%\GIFviewer.ocx"; ThreadingModel: -)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ("aFormatTagCache": %hex values%; "cFilterTags": dword:00000000)
    • HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache ("0": %hex values%; 1: -)
  • Richieste HTTP
    • toyibg.*****pot.ro/
    • ajax.*****eapis.com/ajax/libs/mootools/1.2.4/mootools-yui-compressed.js
    • www.*****ip.co.uk/ip-address/?size=125x125
    • www.*****d.net/?page=get_time_info&ver=1&type=8&id=1405311278&scode=2782&city_id=18977&wlangid=1&mode=1&details=0&background=rgba(0,0,0,0.6)&color=ffffff&add_background=ffffff&add_color=ffffff&head_color=ffffff&border=0&transparent=1
    • toyibg.*****pot.ro/js/cookiechoices.js
    • toyibg.*****pot.ro/YOUR-FAVICON-URL
    • js-agent.*****lic.com/nr-768.min.js
    • toyibg.*****pot.ro/favicon.ico
    • g.*****.com/
    • www.*****tmeineip.de/?size=125x125
    • bam.*****ta.net/1/92a411bc23?a=4058140,2334836&pl=1452031481367&v=768.2acc9fa&to=YlNSbUYAV0IFBhdaWVsZZUtdTlVYCg5OV1NZU0RcUE9JWRQ%3D&be=23978&fe=4394&dc=3367&f=%5B%5D&perf=%7B%22timing%22:%7B%22of%22:1452031481367,%22n%22:0,%22dl%22:19850,%22di%22:27113,%22ds%22:27333,%22de%22:27333,%22dc%22:28359,%22l%22:28359,%22le%22:28361,%22r%22:1056,%22re%22:4105,%22f%22:4105,%22dn%22:13148,%22dne%22:13148,%22c%22:4105,%22ce%22:4105,%22rq%22:13235,%22rp%22:13480,%22rpe%22:13480%7D,%22navigation%22:%7B%22rc%22:1%7D%7D&at=ThRRGw4aREw%3D&jsonp=NREUM.setToken

Aiutaci a rendere il web più sicuro: inviaci i file/URL sospetti da analizzare.

Invia il tuo file/URL oppure Vai ad Avira Answers

Perché inviare un file sospetto?

Se ti imbatti in un file o sito Web sospetto che non è presente nel nostro database, lo analizzeremo per stabilire se è dannoso. I risultati saranno quindi distribuiti ai milioni di nostri utenti non appena eseguiranno l'aggiornamento del database dei virus. Se utilizzi Avira, anche tu riceverai l'aggiornamento. Non avete Avira? Scaricalo dalla nostra home page.

Che cos'è Avira Answers?

È la nostra fiorente comunità di tecnici professionisti ed esperti part-time che collaborano per risolvere i problemi tecnici. È il luogo ideale per porre le tue domande a una comunità di altri utenti Avira.