Avira 病毒搜尋

TR/Crypt.EPACK.19654

  • 名稱
    TR/Crypt.EPACK.19654
  • 发现日期
    2015年12月18日
  • 類型
    Malware
  • 影響
     
  • 報告的感染
     
  • 作業系統
    Windows
  • VDF 版本
    7.11.97.194 (2013-08-22 09:05)

'TR' 一詞表示特洛伊木馬程式,它能夠偵察資料來侵害您的隱私,或是對系統執行有害的通知。

  • VDF
    7.11.97.194 (2013-08-22 09:05)
  • 別名
    Avast: Win32:Malware-gen
    AVG: Crypt5.SDO
    Dr. Web: Trojan.Click3.12222
    Microsoft: Trojan:Win32/Necurs
    G Data: Gen:Variant.Kazy.780457
    Kaspersky Lab: Trojan-Dropper.Win32.Necurs.zoq
    Bitdefender: Gen:Variant.Kazy.780457
    ESET: Win32/Kryptik.EHTN trojan
  • 檔案
    變更下列檔案:
    • %SYSDIR%\wbem\Logs\wbemcore.log
    • %WINDIR%\Prefetch\WMIPRVSE.EXE-28F301A9.pf
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %WINDIR%\Prefetch\SVCHOST.EXE-3530F672.pf
    • %WINDIR%\Prefetch\CMD.EXE-087B4001.pf
    建立下列檔案:
    • %WINDIR%\Temp\2235718.bat
    • %WINDIR%\Temp\Perflib_Perfdata_71c.dat
  • 登錄
    新增下列登錄授權碼:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\syshost32 ("Type": dword:00000010; "Start": dword:00000002; "ErrorControl": dword:00000000; "ImagePath": ""%WINDIR%\Installer\{B4D38090-B607-693E-E6DC-A5B5C6C09926}\syshost.exe" /service"; "ObjectName": "LocalSystem")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\syshost32\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSHOST32 ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSHOST32\0000 ("Service": "syshost32"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "syshost32")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSHOST32\0000\Control ("*NewlyCreated*": dword:00000000; "ActiveService": "syshost32")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\syshost32\Enum ("0": "Root\LEGACY_SYSHOST32\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:00000011)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg ("LogSessionName": "stdout"; "Active": dword:00000001; "ControlFlags": dword:00000001)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier ("Guid": "5f31090b-d990-4e91-b16d-46121d0255aa"; "BitNames": " Error Unusual Info Debug")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy ("LogSessionName": "stdout"; "Active": dword:00000001; "ControlFlags": dword:00000001)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier ("Guid": "5f31090b-d990-4e91-b16d-46121d0255aa"; "BitNames": " Error Unusual Info Debug")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil ("LogSessionName": "stdout"; "Active": dword:00000001; "ControlFlags": dword:00000001)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier ("Guid": "8aefce96-4618-42ff-a057-3536aa78233e"; "BitNames": " Error Unusual Info Debug")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh ("LogSessionName": "stdout"; "Active": dword:00000001; "ControlFlags": dword:00000001)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr ("Guid": "710adbf0-ce88-40b4-a50d-231ada6593f0"; "BitNames": " NAP_TRACE_BASE NAP_TRACE_NETSH")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent ("LogSessionName": "stdout"; "Active": dword:00000001; "ControlFlags": dword:00000001)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier ("Guid": "b0278a28-76f1-4e15-b1df-14b209a12613"; "BitNames": " Error Unusual Info Debug")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile ("EnableFirewall": dword:00000000; "DoNotAllowExceptions": dword:00000000)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch ("Epoch": dword:00000017)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ("EnableFirewall": dword:00000000; "DoNotAllowExceptions": dword:00000000)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\21dade ("Type": dword:00000001; "Start": dword:00000001; "ErrorControl": dword:00000000; "ImagePath": "\??\%SYSDIR%\drivers\21dade.sys"; "DisplayName": "syshost.exe")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\21dade\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_21DADE ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_21DADE\0000 ("Service": "21dade"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "syshost.exe")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_21DADE\0000\Control ("*NewlyCreated*": dword:00000000)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\21dade\Enum ("0": "Root\LEGACY_21DADE\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_CURRENT_USER\Software\WinRAR ("HWID": %hex values%; "Client Hash": %hex values%)
    • HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EA ("F": %hex values%)
    • HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003E8 ("F": %hex values%)
    • HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 ("F": %hex values%)
    • HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EC ("F": %hex values%)
    • HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 ("F": %hex values%)
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A ("BaseClass": "Drive")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C ("BaseClass": "Drive")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D ("BaseClass": "Drive")
    變更下列登錄授權碼:
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("UNCAsIntranet": dword:00000001)
  • HTTP 請求
    • 195.*****.28.194/forum/db.php
    • sso.*****.com/domain/195.22.28.194
    • 185.*****.187.223/forum/db.php
    • js.*****lany.com.ve/script

將可疑的檔案/URL 送予我們分析,助力構建更安全的網站。

送出您的檔案/URL 或者 請前往 Avira 問答區

為何送出可疑的檔案?

如果您遇到不在我們資料庫中的可疑檔案或網站,我們會對其進行分析,確定其是否有害。我們的分析結果將向數百萬名用戶公開,並納入下一次病毒資料庫更新。如果您擁有 Avira,您也將取得此更新。尚未擁有 Avira?請前往 我們的首頁獲取。

何為 Avira 問答區?

Avira 問答區是我們大力發展的社區,由專業技術人員和兼職專家並肩合作,幫助解決技術問題。這一 Avira 用戶社區是您提出問題的絕佳場所。