ProxyServer.D
Pagina 1 di 1
ProxyServer.D
Admin Gio Dic 03, 2009 12:08 am
CARTA D'IDENTITA'
Tipo di minaccia: trojan
Colpisce i sistemi operativi: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
* Distribuzione geografica: Bassa
* Contenimento della minaccia: Facile
* Rimozione: Media
ProxyServer.D è un trojan che scarica file da alcuni siti web e usa tecniche di rootkit. Installa anche un driver nel computer infetto e crea un proxy server su una porta casuale. Cerca anche di scaricare un il software ICQ da alcuni siti web, cercando di misurare la velocità di connessione del computer infetto. Si diffonde attraverso cd-rom, e-mail, download da internet, via ftp, canali irc, software di file sharing.
COSA FA
ProxyServer.D fa le seguenti azioni, una volta eseguito:
* Scarica tre file dll accedendo a script php che hanno un hosting nel sito http://z.pro.ru.
Le dll scaricate sono: PFPLGNFO.DLL, PFPLGPRX.DLL and PFPLGSCN.DLL.
* Usa tecniche rootkit per nascondere i files scaricati.
* Installa un driver sul computer infetto.
* Crea un server proxy su una porta casuale.
* Tenta di scaricare il software icq da alcuni siti per misurare la velocità di connessione del computer infetto.
ProxyServer.D crea i seguenti files:
* PFPLGFLT.DLL, nella directory windows system:
* YCSVGC.SYS, nella cartella drivers di windows system.
ProxyServer.D crea le seguenti chiavi nel registro di sistema:
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Class = LegacyDriver
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ConfigFlags = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 DeviceDesc = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Legacy = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Service = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control *NewlyCreated* = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control ActiveService = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter DisplayName = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter ErrorControl = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Group = Base
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter ImagePath = %sysdir%\drivers\ndisfilter.sys
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Start = 02, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Type = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum 0 = Root\LEGACY_NDISFILTER\0000
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum Count = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Security
Security = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Class = LegacyDriver
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ConfigFlags = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 DeviceDesc = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Legacy = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Service = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control *NewlyCreated* = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control ActiveService = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter DisplayName = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter ErrorControl = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Group = Base
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter ImagePath = %sysdir%\drivers\ndisfilter.sys
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Start = 02, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Type = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum 0 = Root\LEGACY_NDISFILTER\0000
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum Count = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Security Security = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
COME RIMUOVERLO
1. Disattivare il Ripristino configurazione di sistema.
2. Aggiornare il proprio antivirus.
3. Eseguire una scansione completa del sistema in modalità provvisoria.
Tipo di minaccia: trojan
Colpisce i sistemi operativi: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
* Distribuzione geografica: Bassa
* Contenimento della minaccia: Facile
* Rimozione: Media
ProxyServer.D è un trojan che scarica file da alcuni siti web e usa tecniche di rootkit. Installa anche un driver nel computer infetto e crea un proxy server su una porta casuale. Cerca anche di scaricare un il software ICQ da alcuni siti web, cercando di misurare la velocità di connessione del computer infetto. Si diffonde attraverso cd-rom, e-mail, download da internet, via ftp, canali irc, software di file sharing.
COSA FA
ProxyServer.D fa le seguenti azioni, una volta eseguito:
* Scarica tre file dll accedendo a script php che hanno un hosting nel sito http://z.pro.ru.
Le dll scaricate sono: PFPLGNFO.DLL, PFPLGPRX.DLL and PFPLGSCN.DLL.
* Usa tecniche rootkit per nascondere i files scaricati.
* Installa un driver sul computer infetto.
* Crea un server proxy su una porta casuale.
* Tenta di scaricare il software icq da alcuni siti per misurare la velocità di connessione del computer infetto.
ProxyServer.D crea i seguenti files:
* PFPLGFLT.DLL, nella directory windows system:
* YCSVGC.SYS, nella cartella drivers di windows system.
ProxyServer.D crea le seguenti chiavi nel registro di sistema:
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Class = LegacyDriver
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ConfigFlags = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 DeviceDesc = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Legacy = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Service = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control *NewlyCreated* = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control ActiveService = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter DisplayName = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter ErrorControl = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Group = Base
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter ImagePath = %sysdir%\drivers\ndisfilter.sys
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Start = 02, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter Type = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum 0 = Root\LEGACY_NDISFILTER\0000
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum Count = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Enum NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ NdisFilter\ Security
Security = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Class = LegacyDriver
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 ConfigFlags = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 DeviceDesc = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Legacy = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000 Service = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control *NewlyCreated* = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root\ LEGACY_NDISFILTER\ 0000\ Control ActiveService = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter DisplayName = NdisFilter
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter ErrorControl = 00, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Group = Base
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter ImagePath = %sysdir%\drivers\ndisfilter.sys
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Start = 02, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter Type = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum 0 = Root\LEGACY_NDISFILTER\0000
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum Count = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Enum NextInstance = 01, 00, 00, 00
* HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NdisFilter\ Security Security = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
COME RIMUOVERLO
1. Disattivare il Ripristino configurazione di sistema.
2. Aggiornare il proprio antivirus.
3. Eseguire una scansione completa del sistema in modalità provvisoria.
Admin- Admin
- Messaggi : 156
Data di iscrizione : 01.12.09 -
Pagina 1 di 1
Permessi in questa sezione del forum:
Non puoi rispondere agli argomenti in questo forum.