Typ: Robak
Źródło: Symantec
System: Windows
Działanie:
Po uruchomieniu sprawdza statusy usług:
Kod: Zaznacz cały
* AppMgmt (appmgmts.dll)
* BITS (qmgr.dll)
* Browser (browser.dll)
* CryptSvc (cryptsvc.dll)
* EventSystem (es.dll)
* FastUserSwitchingCompatibility (shsvcs.dll)
* helpsvc (pchsvc.dll)
* Netman (netman.dll)
* Nla (mswsock.dll)
* Ntmssvc (ntmssvc.dll)
* RemoteRegistry (regsvc.dll)
* Schedule (schedsvc.dll)
* SSDPSRV (ssdpsrv.dll)
* Tapisrv (tapisrv.dll)
* upnphost (upnphost.dll)
* WmdmPmSN (mspmsnsv.dll)
* xmlprov (xmlprov.dll)
Gdy znajdzie nieuruchomioną usługę, podmienia jej DLL ze swoją kopią i restartuje usługę.
Tworzy plik i ukrywa w nim Hacktool.Rootkit:
%Windir%\[RANDOM CHARACTERS].sys
Dodaje klucze rejestru:
Kod: Zaznacz cały
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%SystemRoot%\[RANDOM CHARACTERS].sys"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Start" = "3"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"Type" = "1"
Zmienia wpisy w rejestrze aby wyłączyć ochronę antywirusową:
Kod: Zaznacz cały
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[CHINESE CHARACTERS].exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avfwsvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwengine.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmgui.e\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmsvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spideragent.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpIDerMl.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\"Debugger" = "ntsd -d"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe\"Debugger" = "ntsd -d"
Zmienia tryb bezpieczny Safe Mode :
Kod: Zaznacz cały
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
Zmienia także wpisy:
Kod: Zaznacz cały
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\"Start" = "3"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641}\"Service" = "drmkaud"
Zmienia ruch sieciowy w pliku:
Kod: Zaznacz cały
%Windir%\drivers\etc\hosts.txt
Zaraża pliki w folderach:
Kod: Zaznacz cały
* Common Files
* ComPlus Applications
* Documents and Settings
* InstallShield Installation Information
* Internet Explorer
* Messenger
* Microsoft FrontPage
* Movie Maker
* MSN Gaming Zone
* NetMeeting
* Outlook Express
* RECYCLER
* System Volume Information
* WINDOWS
* Windows Media Player
* Windows NT
* WinNT
The virus also attempts to infect executable files that are accessed on the compromised computer by appending its code to the body of the executable.
Może infekować pliki:
Kod: Zaznacz cały
* htm
* html
* asp
* aspx
Na dyskach wymiennych instaluje się w pliku:
Kod: Zaznacz cały
%DriveLetter%\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\uninstall.exe
Utworzony folder może przyjąć ikonę Windows Recycle Bin (śmietnika).
Na dysku wymiennym uruchamia się z pliku:
Kod: Zaznacz cały
%DriveLetter%\autorun.inf
Próbuje również infekować pliki wykonywalne znajdujące się w archiwum RAR na udostępnionych dyskach sieciowych.
W celu usunięcia szkodnika radzimy opisać swój problem w dziale Bezpieczeństwo tego forum.