INFO de McAfee sobre nuevos DAT para control del SDRA64.EXE (ZBOT, Spy-Agent.bw, BANKER…)

Son muchas las variantes que nos llegan a diario del SDRA64.EXE, ZBOT que vamos controlando y eliminando con el ELISTARA.EXE apoyado por el ELINOTIF.DLL

Y hoy nos llega un aviso de McAfee indicando el control de dicha familia con los DAT 5743 ya disponibles.

Si bien por nuestra parte vamos implementando todas las muestras de dicho troyano en el ELISTARA de cada día, no está de mas el conocer esta nueva informacion actualizada de McAfee de hoy 28/9:

McAfee informa:

Spy-Agent.bw.gen.eType TrojanSubType GenericDiscovery Date 04/29/2008Length VariesMinimum DAT 5284 (04/29/2008) Updated DAT 5743 (09/16/2009) Minimum Engine 5.3.00Description Added 04/29/2008Description Modified 09/28/2009 7:10 AM (PT) Type Type of threat.

SubType Additional type information.

Discovery Date Date that AVERT discovered this threat.

Length File size, in bytes, of the threat.

Minimum DAT McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.
For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.

Updated DAT McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.

Minimum Engine The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Description Added Date/time this description was published using Pacific Time.

Description Modified Date/time this description was last modified using Pacific Time.

Risk Assessment
Corporate UserLow-Profiled
Home UserLow-Profiled Tab Navigation
Overview Characteristics Symptoms Method of Infection Removal Variants All Information Overview– Update September 28, 2009 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_mail_virus_problem?source=rss_news
—

This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.
The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.
AliasesInfostealer.Banker.C [Symantec]PWS:Win32/Zbot.gen!R [Microsoft]Trojan.Generic.2436384 [BitDefender]TSPY_ZBOT.SMC [TrendMicro]
Characteristics
When executed, some samples of this trojan drops the following files:
%System%\sdra64.exe [Copy of Trojan] %System%\lowsec\local.ds [Data File] %System%\lowsec\user.ds [Data File] %System%\lowsec\user.ds.lll [Data File](note: %System% refers to the System folder. In a Windows XP machine, this should by default refer to the “C:\Windows\System32” folder.)
The trojan also modifies the following registry values to run at windows startup:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = “%System%\userinit.exe,%System%\sdra64.exe,”It injects malicious codes to several processes and hooks several API to hide itself and monitor users activity.
It connects to remote server to update itself and send gathered information such as banking transactions.
Attempts to connect to the domain:
kievsk.comAt the time of writing the said domain is not available.
 
Symptoms
Presence of files and registry entries mentioned Network activity with servers mentioned above

Method of Infection
Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user’s system.
Many of these are mass spammed by the author to entice people into double-clicking on them.
Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user’s system with no user interaction.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
VariantsVariantsN/A

All Information
Overview –
— Update September 28, 2009 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/s/article/9138527/IRS_scam_now_world_s_biggest_e_mail_virus_problem?source=rss_news
—
This detection is for a spy trojan which upon running on the victim’s machine, may be used to upload stolen information to a pre-configured website.

The characteristics of this trojan with regards to file names, sites accessed, files downloaded, etc. can differ from one version to another, depending on the way in which the attacker had configured it. Therefore, this is a general description.

 

Aliases
•Infostealer.Banker.C [Symantec]
•PWS:Win32/Zbot.gen!R [Microsoft]
•Trojan.Generic.2436384 [BitDefender]
•TSPY_ZBOT.SMC [TrendMicro]

Characteristics
Characteristics –

When executed, some samples of this trojan drops the following files:

•%System%\sdra64.exe [Copy of Trojan]
•%System%\lowsec\local.ds [Data File]
•%System%\lowsec\user.ds [Data File]
•%System%\lowsec\user.ds.lll [Data File]
(note: %System% refers to the System folder. In a Windows XP machine, this should by default refer to the “C:\Windows\System32” folder.)

The trojan also modifies the following registry values to run at windows startup:

•[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = “%System%\userinit.exe,%System%\sdra64.exe,”
It injects malicious codes to several processes and hooks several API to hide itself and monitor users activity.

It connects to remote server to update itself and send gathered information such as banking transactions.

Attempts to connect to the domain:

•kievsk.com
At the time of writing the said domain is not available.

 
Symptoms
Symptoms –

•Presence of files and registry entries mentioned
•Network activity with servers mentioned above

Method of Infection
Method of Infection –

Trojans are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user’s system.

Many of these are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user’s system with no user interaction.

 Fuente

 

La gama de los SDRA64.EXE son los rootkits mas prolíficos actualmente

saludos

ms, 28-9-2009