Avira 病毒搜索

TR/Agent.1007104.21

  • 名称
    TR/Agent.1007104.21
  • 发现日期
    2015年12月19日
  • 类型
    Malware
  • 影响
     
  • 报告的感染
     
  • 操作系统
    Windows
  • VDF 版本
    7.12.38.94 (2015-12-19 09:01)

术语“TR”指的是能够窥探数据、侵犯您的隐私或对系统进行不需要的修改的特洛伊木马。

  • VDF
    7.12.38.94 (2015-12-19 09:01)
  • 别名
    G Data: Trojan.GenericKD.2934996
    Kaspersky Lab: Trojan.Win32.Agent.netmot
    Bitdefender: Trojan.GenericKD.2934996
  • 文件
    更改以下文件:
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %APPDATA%\Microsoft\Protect\CREDHIST
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\Preferred
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    重命名以下文件:
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\extension.exe
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\startpm.exe
    • %TEMPDIR%\abyuonphoi
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\autorun.exe
    创建以下文件:
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\extension.exe
    • %TEMPDIR%\extension.exe:tmp
    • %TEMPDIR%\extension.exe:args
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\2dc9ecf3-ae26-42bc-93d9-1f111e67bf6f
    • %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-602162358-879983540-682003330-1003\f0ee361c0f0df76e7e25cd9131680e17_43055624-2155-436a-a244-4fe4e5b10e24
    • %TEMPDIR%\snekregfme.crx
    • %TEMPDIR%\snekregfme.zip
    • %TEMPDIR%\snekregfme\manifest.json
    • %TEMPDIR%\snekregfme\js\background.js
    • %TEMPDIR%\snekregfme\js\content.js
    • %TEMPDIR%\snekregfme\img\favicon-128.png
    • %TEMPDIR%\snekregfme\img\favicon-16.png
    • %TEMPDIR%\snekregfme\img\favicon-19.png
    • %TEMPDIR%\snekregfme\img\favicon-38.png
    • %TEMPDIR%\snekregfme\img\favicon-48.png
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\startpm.exe
    • %TEMPDIR%\startpm.exe:tmp
    • %TEMPDIR%\startpm.exe:args
    • %TEMPDIR%\abyuonphoi
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\autorun.exe
    • %TEMPDIR%\autorun.exe:tmp
    • %TEMPDIR%\autorun.exe:args
    创建以下自身的副本:
    • %TEMPDIR%\extension.exe
    • %TEMPDIR%\startpm.exe
    • %TEMPDIR%\autorun.exe
    删除以下文件:
    • %TEMPDIR%\extension.exe.tmp
    • %TEMPDIR%\extension.exe:args
    • %TEMPDIR%\snekregfme.zip
    • %TEMPDIR%\snekregfme\manifest.json
    • %TEMPDIR%\snekregfme\js\background.js
    • %TEMPDIR%\snekregfme\js\content.js
    • %TEMPDIR%\snekregfme\img\favicon-128.png
    • %TEMPDIR%\snekregfme\img\favicon-16.png
    • %TEMPDIR%\snekregfme\img\favicon-19.png
    • %TEMPDIR%\snekregfme\img\favicon-38.png
    • %TEMPDIR%\snekregfme\img\favicon-48.png
    • %TEMPDIR%\startpm.exe.tmp
    • %TEMPDIR%\startpm.exe:args
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %TEMPDIR%\autorun.exe.tmp
    • %TEMPDIR%\autorun.exe:args
    • %TEMPDIR%\snekregfme\img
    • %TEMPDIR%\snekregfme\js
    • %TEMPDIR%\snekregfme
  • 注入
    • %SYSDIR%\ipconfig.exe
    • %DISKDRIVE%\hips\loader.exe
  • 注册表
    会添加以下注册表项目:
    • HKEY_LOCAL_MACHINE\SOFTWARE\nethost ("LastOnlineEvent": hex(b):08,b7,75,56,00,00,00,00; "lastUpdated": hex(b):0a,b7,75,56,00,00,00,00; "specialValue": %hex values%; "specialValueChonos": hex(b):0a,b7,75,56,00,00,00,00)
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\nethost\extension ("lastExecuted": hex(b):4a,b7,75,56,00,00,00,00)
    会更改以下注册表项:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (nkeqiiqugl: -)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (okqaywhfgk: -)
  • HTTP 请求
    • g.*****vi.ru/1/WxYZBRdRVV1NG18aHhVCRREfDQkCVkJEVEhbREFaAh5YEEQABV0JTgYYDAkfHywFCgoCBBZKWAUfFEUADg4EEFRcIiddWzEsUyIqWkZYAwp9S3FfWQF2YSVbUlQqX1UHDQJWWkNbC354QgArLARwYVNZUF5eL0srUlVZKDIqDA4LNQRPBUAJFU1dQgQFH05ZVkAYAxRRWF0MS1ENXwoHF1pfUlcNCEUJVlZZDhFZX1oMQlQPXgs=
    • g.*****vi.ru/1/WxYZBRdRVV1NG18aHhVCRREfDQkCVkJEVEhbREFaAh5YEEQABV0JTgYYDAkfHywOBRIKTBBRHV9MGlRUWgMDECUtVVYuLUQuJVZeXktefwB4RQNbKHJyF1VeIlJKBhoOWVZbXUMqegkJMXZeLnIEFVdUViJUKkVZViQqLERaCX4NVV8aVwYaEUUODRJRWEFMFw8MV0RfAgtaFQleDAMARlYIV1dfCUBZVgBTXhVYWA0BFwRdTFRZUl5cQgseHk5aQh8bGE5cHUFUAQ1ZTFdRRgIZCBJRDRoYAQAEElUfT1lLB0AIDVYJTxcEARRKGAcLFhIeGB9RHUtcEkIKAg5QRQUNEQoY
    • drg.*****id.ru/version.txt
    • mosalfa.*****.get_bin_domain.pl
    • centavrainfo.*****.get_info.pl
    • wdzokowgmbuhbki.*****einvisible.ru/chrome_extension.exe
    • ijmelto.*****like.crx
    • wdzokowgmbuhbki.*****einvisible.ru/start_page.exe
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%57%36%36%56%37%37%62%26%27%f6%77%37%56%27%d3%64%96%27%56%66%f6%87
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%47%16%27%47%62%26%27%f6%77%37%56%27%d3%94%54
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%47%16%27%47%62%26%27%f6%77%37%56%27%d3%64%96%27%56%66%f6%87
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%57%36%36%56%37%37%62%26%27%f6%77%37%56%27%d3%94%54
    • wdzokowgmbuhbki.*****einvisible.ru/autorun.exe
    • g.*****kho.ru/software_install?guid=$GUID&sig=$SIG&ovr=0
    • g.*****kho.ru/?prod=autorun&version=3.9&guid=b8d4f442d8a34e7a8ceaed8b10bef57e&mid=6cc5a488272af95a81dc3204fd39c644&os=5.1&bit=32&action=success
    • g.*****kho.ru/?prod=autorun&version=3.9&guid=b8d4f442d8a34e7a8ceaed8b10bef57e&mid=6cc5a488272af95a81dc3204fd39c644&os=5.1&bit=32&action=start

将可疑文件/URL 送予我们分析,帮助构建更加安全的网站。

提交您的文件/URL 或者 转到 Avira 疑难解答

为何提交可疑文件?

如果您遇到不在我们数据库中的可疑文件或网站,我们将对其进行分析,确定其是否有害。我们的分析结果将惠及数百万用户,并将纳入下一次病毒数据库更新。如果您已经拥有 Avira,则会获取此更新。尚未拥有 Avira? 请前往 获取

什么是 Avira 疑难解答?

这是我们大力发展的社区,由专业技术人员和兼职专家通力合作,为广大用户解决技术问题。这一 Avira 用户社群是提出问题的绝佳场所。