Nuevo y peligroso BackDoor-DOQ.gen.y
Un nuevo y peligroso troyano backdoor ha pasado a ser controlado por el VirusScan de McAfee, del cual informamos por considerarlo especialmente importante, cuando su hacker parece que está en China, ya que se comunica con URL’s de allí:
______
Communication may also be present with the following domains:
* dns.win[removed].com.cn
* ver.win[removed].com.cn
* temp.cxx[removed].com.cn
______
Sus caracteristicas segun McAfee, en ingles original, son:
BackDoor-DOQ.gen.y
Overview –
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc
Characteristics
— Update December 14, 2009 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/12/10/mass_web_attack/
—
This detection is for a BackDoor trojan, that installs itself as a system service. This trojan also downloads additional malware programs from different websites.
Upon execution the multiple registry entries are added that appear like the below:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name]
These filename option above may include:
* 360deepscan.exe
* 360hotfix.exe
* 360rp.exe
* 360rpt.exe
* 360Safe.exe
* 360safebox.exe
* 360sd.exe
* 360tray.exe
* adam.exe
* AgentSvr.exe
* AntiArp.exe
* AppSvc32.exe
* arvmon.exe
* AutoGuarder.exe
* autoruns.exe
* avgrssvc.exe
* AvMonitor.exe
* avp.com
* avp.exe
* CCenter.exe
* ccSvcHst.exe
* DSMain.exe
* egui.exe
* ekrn.exe
* FileDsty.exe
* findt2005.exe
* FTCleanerShell.exe
* HijackThis.exe
* IceSword.exe
* iparmo.exe
* Iparmor.exe
* IsHelp.exe
* isPwdSvc.exe
* kabaload.exe
* KaScrScn.SCR
* KASMain.exe
* KASTask.exe
* KAV32.exe
* KAVDX.exe
* KAVPFW.exe
* KAVSetup.exe
* KAVStart.exe
* killhidepid.exe
* KISLnchr.exe
* kissvc.exe
* KMailMon.exe
* KMFilter.exe
* KPFW32.exe
* KPFW32X.exe
* KPFWSvc.exe
* KRepair.COM
* krnl360svc.exe
* KsLoader.exe
* kswebshield.exe
* KVCenter.kxp
* KvDetect.exe
* kvfw.exe
* KvfwMcl.exe
* KVMonXP.kxp
* KVMonXP_1.kxp
* kvol.exe
* kvolself.exe
* KvReport.kxp
* KVScan.kxp
* KVSrvXP.exe
* KVStub.kxp
* kvupload.exe
* kvwsc.exe
* KvXP.kxp
* KvXP_1.kxp
* KWatch.exe
* KWatch9x.exe
* KWatchX.exe
* LiveUpdate360.exe
* loaddll.exe
* MagicSet.exe
* mcconsol.exe
* mmqczj.exe
* mmsk.exe
* NAVSetup.exe
* nod32krn.exe
* nod32kui.exe
* PFW.exe
* PFWLiveUpdate.exe
* QHSET.exe
* Ras.exe
* Rav.exe
* RavCopy.exe
* RavMon.exe
* RavMonD.exe
* RavStore.exe
* RavStub.exe
* ravt08.exe
* RavTask.exe
* RegClean.exe
* RegEx.exe
* rfwcfg.exe
* RfwMain.exe
* rfwolusr.exe
* rfwProxy.exe
* rfwsrv.exe
* RsAgent.exe
* Rsaupd.exe
* RsMain.exe
* rsnetsvr.exe
* RSTray.exe
* runiep.exe
* safebank.exe
* safeboxTray.exe
* safelive.exe
* scan32.exe
* ScanFrm.exe
* shcfg32.exe
* smartassistant.exe
* SmartUp.exe
* SREng.exe
* SREngPS.exe
* SuperKiller.exe
* symlcsvc.exe
* syscheck.exe
* Syscheck2.exe
* SysSafe.exe
* ToolsUp.exe
* TrojanDetector.exe
* Trojanwall.exe
* TrojDie.kxp
* UIHost.exe
* UmxAgent.exe
* UmxAttachment.exe
* UmxCfg.exe
* UmxFwHlp.exe
* UmxPol.exe
* UpLive.exe
* WoptiClean.exe
* ZhuDongFangYu.exe
* zxsweep.exe
The following autostart registry entry is added:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run “auto”
Data: C:\Program Files\Common Files\auto.exe
The following files may also be downloaded and/or dropped onto the host:
* %DIR%\auto.exe
* %DIR%\AutoRun.inf
* %DIR%\Documents and Settings\[user]\Local Settings\Temp\~t11A.tmp
* %DIR%\Documents and Settings\[user]\Local Settings\Temp\~t219.tmp
* %DIR%\Documents and Settings\[user]\Local Settings\Temp\8458750.bat
* %DIR%\Documents and Settings\[user]\Local Settings\Temp\jxfqt.tmp
* %DIR%\Program Files\dnf.exe
* %DIR%\Program Files\Common Files\auto.exe
* %SYSDIR%\system32\imm32.dll.bak
* %SYSDIR%\system32\kb011164832.dll
* %SYSDIR%\system32\kb811164841.dll
* %SYSDIR%\system32\wmitpfs.dll
* %SYSDIR%\system32\wsconfig.db
* %SYSDIR%\system32\drivers\bmtpws31.dat
* %SYSDIR%\system32\drivers\Encionc_ch.dat
Communication may also be present with the following domains:
* dns.win[removed].com.cn
* ver.win[removed].com.cn
* temp.cxx[removed].com.cn
Symptoms
Symptoms –
* Presence of the aforementioned network connections
* Presence of the aforementioned file and registry entries
Method of Infection
Method of Infection –
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal –
Removal –
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
_____
Si alguien lo detecta, que nos envie muestras de ficheros involucrados, para pasar a controlarlos con nuestras utilidades
saludos
ms, 15-12-2009
NOTA: Los interesados en información sobre contrato de soporte Asistencia Tecnica de SATINFO y/o licencia de uso/actualizaciones de sus utilidades, contacten con info@satinfo.es
__________
Este blog no se hace responsable de las opiniones y comentarios de los textos en los que se cita la Fuente, ofreciendo su contenido solo para facilitar el acceso a la información del mismo.
Puedes seguir cualquier respuesta a esta entrada mediante el canal RSS 2.0. Los comentarios y los pings están cerrados.
Los comentarios están cerrados.