PCの修理が必要ですか?
専門家に頼む
Virus:WORM/AutoIt.267197
Date discovered:19/09/2008
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
File size:345021 Bytes
MD5 checksum:98484fa2cf91a4eb7216b2bee377645e
VDF version:7.00.06.184
IVDF version:7.00.06.186 - Friday, September 19, 2008

 General Method of propagation:
   • Messenger


Aliases:
   •  Kaspersky: Worm.Win32.AutoIt.cb
   •  F-Secure: Worm.Win32.AutoIt.cb
   •  Sophos: W32/Sohana-BN
   •  Microsoft: Worm:Win32/Nuqel.BE
   •  AVG: Dropper.Generic4.CAYF
   •  Eset: Win32/Autoit.EP.Gen worm
   •  GData: Worm.Generic.39636


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Can be used to execute malicious code
   • Downloads malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\gphone.exe
   • %WINDIR%\gphone.exe

%SYSDIR%\autorun.ini This is a non malicious text file with the following content:
   • [Autorun]
     Open=gphone.exe
     Shellexecute=gphone.exe
     Shell\Open\command=gphone.exe
     Shell=Open

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Yahoo Messengger"="%SYSDIR%\gphone.exe"



The following registry keys are added in order to load the service after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NofolderOptions"="dword:0x00000001"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"="dword:0x00000001"
   • "DisableTaskMgr"="dword:0x00000001"



The following registry key is changed:

Internet Explorer's start page:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"="http://googleinindia.blogspot.com"

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   Old value:
   • "Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
   • "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Start Page"="http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home"
   New value:
   • "Default_Page_URL"="http://googleinindia.blogspot.com"
   • "Default_Search_URL"="http://googleinindia.blogspot.com"
   • "Search Page"="http://googleinindia.blogspot.com"
   • "Start Page"="http://googleinindia.blogspot.com"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe gphone.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • http://goto**********.googlepages.com/setting.ini
   • http://sciencean**********.googlepages.com/setting.ini
   • http://see**********cam.googlepages.com/setting.ini
   • http://age**********yoga.googlepages.com/setting.ini


Event handler:
It creates the following Event handlers:
   • GetPrivateProfileSectionW
   • GetPrivateProfileStringW
   • CreateProcessWithLogonW
   • RegisterWindowMessageW
   • GetProcessIoCounters
   • GetProcessMemoryInfo
   • InternetCrackUrlW
   • LockWindowUpdate
   • GetSystemMetrics
   • SendCapsLockMode
   • SendKeyDownDelay
   • ReleaseCapture
   • SENDKEEPACTIVE
   • keybd_event

説明の挿入者 Wensin Lee の 2013年6月10日月曜日
説明の更新者 Wensin Lee の 2013年6月10日月曜日

戻る . . . .
https:// このウィンドウは暗号化されています。