Nuevo y peligroso BackDoor-DOQ.gen.y

Un nuevo y peligroso  troyano backdoor ha pasado a ser controlado por el VirusScan de McAfee, del cual informamos por considerarlo especialmente importante, cuando su hacker parece que está en China, ya que se comunica con URL’s de allí:

______
Communication may also be present with the following domains:

* dns.win[removed].com.cn
* ver.win[removed].com.cn
* temp.cxx[removed].com.cn

______

Sus caracteristicas segun McAfee, en ingles original, son:

BackDoor-DOQ.gen.y

Overview –

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc
Characteristics

— Update December 14, 2009 —
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/12/10/mass_web_attack/

—

This detection is for a BackDoor trojan, that installs itself as a system service. This trojan also downloads additional malware programs from different websites.

Upon execution the multiple registry entries are added that appear like the below:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name]

These filename option above may include:

*  360deepscan.exe
*  360hotfix.exe
*  360rp.exe
*  360rpt.exe
*  360Safe.exe
*  360safebox.exe
*  360sd.exe
*  360tray.exe
*  adam.exe
*  AgentSvr.exe
*  AntiArp.exe
*  AppSvc32.exe
*  arvmon.exe
*  AutoGuarder.exe
*  autoruns.exe
*  avgrssvc.exe
*  AvMonitor.exe
*  avp.com
*  avp.exe
*  CCenter.exe
*  ccSvcHst.exe
*  DSMain.exe
*  egui.exe
*  ekrn.exe
*  FileDsty.exe
*  findt2005.exe
*  FTCleanerShell.exe
*  HijackThis.exe
*  IceSword.exe
*  iparmo.exe
*  Iparmor.exe
*  IsHelp.exe
*  isPwdSvc.exe
*  kabaload.exe
*  KaScrScn.SCR
*  KASMain.exe
*  KASTask.exe
*  KAV32.exe
*  KAVDX.exe
*  KAVPFW.exe
*  KAVSetup.exe
*  KAVStart.exe
*  killhidepid.exe
*  KISLnchr.exe
*  kissvc.exe
*  KMailMon.exe
*  KMFilter.exe
*  KPFW32.exe
*  KPFW32X.exe
*  KPFWSvc.exe
*  KRepair.COM
*  krnl360svc.exe
*  KsLoader.exe
*  kswebshield.exe
*  KVCenter.kxp
*  KvDetect.exe
*  kvfw.exe
*  KvfwMcl.exe
*  KVMonXP.kxp
*  KVMonXP_1.kxp
*  kvol.exe
*  kvolself.exe
*  KvReport.kxp
*  KVScan.kxp
*  KVSrvXP.exe
*  KVStub.kxp
*  kvupload.exe
*  kvwsc.exe
*  KvXP.kxp
*  KvXP_1.kxp
*  KWatch.exe
*  KWatch9x.exe
*  KWatchX.exe
*  LiveUpdate360.exe
*  loaddll.exe
*  MagicSet.exe
*  mcconsol.exe
*  mmqczj.exe
*  mmsk.exe
*  NAVSetup.exe
*  nod32krn.exe
*  nod32kui.exe
*  PFW.exe
*  PFWLiveUpdate.exe
*  QHSET.exe
*  Ras.exe
*  Rav.exe
*  RavCopy.exe
*  RavMon.exe
*  RavMonD.exe
*  RavStore.exe
*  RavStub.exe
*  ravt08.exe
*  RavTask.exe
*  RegClean.exe
*  RegEx.exe
*  rfwcfg.exe
*  RfwMain.exe
*  rfwolusr.exe
*  rfwProxy.exe
*  rfwsrv.exe
*  RsAgent.exe
*  Rsaupd.exe
*  RsMain.exe
*  rsnetsvr.exe
*  RSTray.exe
*  runiep.exe
*  safebank.exe
*  safeboxTray.exe
*  safelive.exe
*  scan32.exe
*  ScanFrm.exe
*  shcfg32.exe
*  smartassistant.exe
*  SmartUp.exe
*  SREng.exe
*  SREngPS.exe
*  SuperKiller.exe
*  symlcsvc.exe
*  syscheck.exe
*  Syscheck2.exe
*  SysSafe.exe
*  ToolsUp.exe
*  TrojanDetector.exe
*  Trojanwall.exe
*  TrojDie.kxp
*  UIHost.exe
*  UmxAgent.exe
*  UmxAttachment.exe
*  UmxCfg.exe
*  UmxFwHlp.exe
*  UmxPol.exe
*  UpLive.exe
*  WoptiClean.exe
*  ZhuDongFangYu.exe
*  zxsweep.exe

The following autostart registry entry is added:

*  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run “auto”
Data: C:\Program Files\Common Files\auto.exe

The following files may also be downloaded and/or dropped onto the host:

*  %DIR%\auto.exe
*  %DIR%\AutoRun.inf
*  %DIR%\Documents and Settings\[user]\Local Settings\Temp\~t11A.tmp
*  %DIR%\Documents and Settings\[user]\Local Settings\Temp\~t219.tmp
*  %DIR%\Documents and Settings\[user]\Local Settings\Temp\8458750.bat
*  %DIR%\Documents and Settings\[user]\Local Settings\Temp\jxfqt.tmp
*  %DIR%\Program Files\dnf.exe
*  %DIR%\Program Files\Common Files\auto.exe
*  %SYSDIR%\system32\imm32.dll.bak
*  %SYSDIR%\system32\kb011164832.dll
*  %SYSDIR%\system32\kb811164841.dll
*  %SYSDIR%\system32\wmitpfs.dll
*  %SYSDIR%\system32\wsconfig.db
*  %SYSDIR%\system32\drivers\bmtpws31.dat
*  %SYSDIR%\system32\drivers\Encionc_ch.dat

Communication may also be present with the following domains:

* dns.win[removed].com.cn
* ver.win[removed].com.cn
* temp.cxx[removed].com.cn

Symptoms
Symptoms –

* Presence of the aforementioned network connections
* Presence of the aforementioned file and registry entries

Method of Infection
Method of Infection –

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal –
Removal –

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

_____

Si alguien lo detecta, que nos envie muestras de ficheros involucrados, para pasar a controlarlos con nuestras utilidades

saludos

ms, 15-12-2009