Avira 病毒搜尋

TR/Agent.1007104.21

  • 名稱
    TR/Agent.1007104.21
  • 发现日期
    2015年12月19日
  • 類型
    Malware
  • 影響
     
  • 報告的感染
     
  • 作業系統
    Windows
  • VDF 版本
    7.12.38.94 (2015-12-19 09:01)

'TR' 一詞表示特洛伊木馬程式,它能夠偵察資料來侵害您的隱私,或是對系統執行有害的通知。

  • VDF
    7.12.38.94 (2015-12-19 09:01)
  • 別名
    G Data: Trojan.GenericKD.2934996
    Kaspersky Lab: Trojan.Win32.Agent.netmot
    Bitdefender: Trojan.GenericKD.2934996
  • 檔案
    變更下列檔案:
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %APPDATA%\Microsoft\Protect\CREDHIST
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\Preferred
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    重新命名下列檔案:
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\extension.exe
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\startpm.exe
    • %TEMPDIR%\abyuonphoi
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\autorun.exe
    建立下列檔案:
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\extension.exe
    • %TEMPDIR%\extension.exe:tmp
    • %TEMPDIR%\extension.exe:args
    • %APPDATA%\Microsoft\Protect\S-1-5-21-602162358-879983540-682003330-1003\2dc9ecf3-ae26-42bc-93d9-1f111e67bf6f
    • %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-602162358-879983540-682003330-1003\f0ee361c0f0df76e7e25cd9131680e17_43055624-2155-436a-a244-4fe4e5b10e24
    • %TEMPDIR%\snekregfme.crx
    • %TEMPDIR%\snekregfme.zip
    • %TEMPDIR%\snekregfme\manifest.json
    • %TEMPDIR%\snekregfme\js\background.js
    • %TEMPDIR%\snekregfme\js\content.js
    • %TEMPDIR%\snekregfme\img\favicon-128.png
    • %TEMPDIR%\snekregfme\img\favicon-16.png
    • %TEMPDIR%\snekregfme\img\favicon-19.png
    • %TEMPDIR%\snekregfme\img\favicon-38.png
    • %TEMPDIR%\snekregfme\img\favicon-48.png
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\startpm.exe
    • %TEMPDIR%\startpm.exe:tmp
    • %TEMPDIR%\startpm.exe:args
    • %TEMPDIR%\abyuonphoi
    • %USERPROFILE%\Local Settings\Application Data\SystemDir\autorun.exe
    • %TEMPDIR%\autorun.exe:tmp
    • %TEMPDIR%\autorun.exe:args
    建立下列自身複本:
    • %TEMPDIR%\extension.exe
    • %TEMPDIR%\startpm.exe
    • %TEMPDIR%\autorun.exe
    刪除下列檔案:
    • %TEMPDIR%\extension.exe.tmp
    • %TEMPDIR%\extension.exe:args
    • %TEMPDIR%\snekregfme.zip
    • %TEMPDIR%\snekregfme\manifest.json
    • %TEMPDIR%\snekregfme\js\background.js
    • %TEMPDIR%\snekregfme\js\content.js
    • %TEMPDIR%\snekregfme\img\favicon-128.png
    • %TEMPDIR%\snekregfme\img\favicon-16.png
    • %TEMPDIR%\snekregfme\img\favicon-19.png
    • %TEMPDIR%\snekregfme\img\favicon-38.png
    • %TEMPDIR%\snekregfme\img\favicon-48.png
    • %TEMPDIR%\startpm.exe.tmp
    • %TEMPDIR%\startpm.exe:args
    • %APPDATA%\Mozilla\Firefox\Profiles\lhn8qbrc.default\prefs.js
    • %TEMPDIR%\autorun.exe.tmp
    • %TEMPDIR%\autorun.exe:args
    • %TEMPDIR%\snekregfme\img
    • %TEMPDIR%\snekregfme\js
    • %TEMPDIR%\snekregfme
  • 插入
    • %SYSDIR%\ipconfig.exe
    • %DISKDRIVE%\hips\loader.exe
  • 登錄
    新增下列登錄授權碼:
    • HKEY_LOCAL_MACHINE\SOFTWARE\nethost ("LastOnlineEvent": hex(b):08,b7,75,56,00,00,00,00; "lastUpdated": hex(b):0a,b7,75,56,00,00,00,00; "specialValue": %hex values%; "specialValueChonos": hex(b):0a,b7,75,56,00,00,00,00)
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    • HKEY_LOCAL_MACHINE\SOFTWARE\nethost\extension ("lastExecuted": hex(b):4a,b7,75,56,00,00,00,00)
    變更下列登錄授權碼:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (nkeqiiqugl: -)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce (okqaywhfgk: -)
  • HTTP 請求
    • g.*****vi.ru/1/WxYZBRdRVV1NG18aHhVCRREfDQkCVkJEVEhbREFaAh5YEEQABV0JTgYYDAkfHywFCgoCBBZKWAUfFEUADg4EEFRcIiddWzEsUyIqWkZYAwp9S3FfWQF2YSVbUlQqX1UHDQJWWkNbC354QgArLARwYVNZUF5eL0srUlVZKDIqDA4LNQRPBUAJFU1dQgQFH05ZVkAYAxRRWF0MS1ENXwoHF1pfUlcNCEUJVlZZDhFZX1oMQlQPXgs=
    • g.*****vi.ru/1/WxYZBRdRVV1NG18aHhVCRREfDQkCVkJEVEhbREFaAh5YEEQABV0JTgYYDAkfHywOBRIKTBBRHV9MGlRUWgMDECUtVVYuLUQuJVZeXktefwB4RQNbKHJyF1VeIlJKBhoOWVZbXUMqegkJMXZeLnIEFVdUViJUKkVZViQqLERaCX4NVV8aVwYaEUUODRJRWEFMFw8MV0RfAgtaFQleDAMARlYIV1dfCUBZVgBTXhVYWA0BFwRdTFRZUl5cQgseHk5aQh8bGE5cHUFUAQ1ZTFdRRgIZCBJRDRoYAQAEElUfT1lLB0AIDVYJTxcEARRKGAcLFhIeGB9RHUtcEkIKAg5QRQUNEQoY
    • drg.*****id.ru/version.txt
    • mosalfa.*****.get_bin_domain.pl
    • centavrainfo.*****.get_info.pl
    • wdzokowgmbuhbki.*****einvisible.ru/chrome_extension.exe
    • ijmelto.*****like.crx
    • wdzokowgmbuhbki.*****einvisible.ru/start_page.exe
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%57%36%36%56%37%37%62%26%27%f6%77%37%56%27%d3%64%96%27%56%66%f6%87
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%47%16%27%47%62%26%27%f6%77%37%56%27%d3%94%54
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%47%16%27%47%62%26%27%f6%77%37%56%27%d3%64%96%27%56%66%f6%87
    • g.*****is.ru/%f3%07%27%f6%46%d3%37%47%16%27%47%f5%07%16%76%56%62%67%56%27%37%96%f6%e6%d3%33%e2%13%83%62%76%57%96%46%d3%66%13%33%13%36%56%36%63%03%63%16%43%43%53%33%56%83%16%46%83%53%46%26%66%63%33%43%83%73%83%23%93%62%d6%96%46%d3%63%36%36%53%16%43%83%83%23%73%23%16%66%93%53%16%83%13%46%36%33%23%03%43%66%46%33%93%36%63%43%43%62%f6%37%d3%53%e2%13%62%26%96%47%d3%33%23%62%16%36%47%96%f6%e6%d3%37%57%36%36%56%37%37%62%26%27%f6%77%37%56%27%d3%94%54
    • wdzokowgmbuhbki.*****einvisible.ru/autorun.exe
    • g.*****kho.ru/software_install?guid=$GUID&sig=$SIG&ovr=0
    • g.*****kho.ru/?prod=autorun&version=3.9&guid=b8d4f442d8a34e7a8ceaed8b10bef57e&mid=6cc5a488272af95a81dc3204fd39c644&os=5.1&bit=32&action=success
    • g.*****kho.ru/?prod=autorun&version=3.9&guid=b8d4f442d8a34e7a8ceaed8b10bef57e&mid=6cc5a488272af95a81dc3204fd39c644&os=5.1&bit=32&action=start

將可疑的檔案/URL 送予我們分析,助力構建更安全的網站。

送出您的檔案/URL 或者 請前往 Avira 問答區

為何送出可疑的檔案?

如果您遇到不在我們資料庫中的可疑檔案或網站,我們會對其進行分析,確定其是否有害。我們的分析結果將向數百萬名用戶公開,並納入下一次病毒資料庫更新。如果您擁有 Avira,您也將取得此更新。尚未擁有 Avira?請前往 我們的首頁獲取。

何為 Avira 問答區?

Avira 問答區是我們大力發展的社區,由專業技術人員和兼職專家並肩合作,幫助解決技術問題。這一 Avira 用戶社區是您提出問題的絕佳場所。