Sistemac: Pojedinačna vijest

NASLOVNICA

MAPA WEBA

TRAŽILICA

KONTAKTI

CARNET WEB


Sigurnost

Distribucija

Pomoć

Dokumenti

2-10-04 11:44
Novi virus: Backdoor.Win32.Surila.k

piše GORAN RUŽIĆ

Novi virus je ujedno i trojan i backdoor. Program je Win PE EXE datoteka pakirana programom Obsidium koji mu daje zaštitu od promjene koda. Pisan je u Visual C++.

Pakirani file je 244 KB, a otpakiran velik je 413 KB.

Kada se računalo zarazi, Surila se kopira u sistemski direktorij Windowsa pod imenom "dx32cxlp.exe" i kreira sljedeće registry ključeve:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run] devsec = %System%\dx32cxlp.exe [HKLM\SOFTWARE\Microsoft\Internet Explorer\mutexname]

Prvi ključ omogućuje da se Surila pokrene pri svakom uključivanju računala, a drugi provjerava je li sistem već zaražen.

Upisivanjem u Windows Firewall Policy Surila si omogućuje potpuni pristup Internetu.

Zatim instalira proxy server na slučajno odabranom portu za HTTP i SMTP promet.

Pokušava kontaktirati slijedeće IRC servere:

62.241.53.2:4242

211.233.41.235:4661

81.23.250.167:4242

193.19.227.24:4661

66.98.192.99:3306

207.44.222.47:4661

213.158.119.104:4661

207.44.206.27:4661

62.241.53.4:4242

216.127.94.107:4661

67.15.18.45:3306

62.241.53.15:4242

64.246.54.12:3306

62.241.53.16:4242

211.214.161.107:4661

67.15.18.57:3306

66.98.144.100:4242

69.50.187.210:4661

66.111.43.80:4242

212.199.125.36:8080

66.90.68.2:6565

62.241.53.17:4242

69.50.228.50:4646

81.23.250.169:4242

69.57.132.8:4661

4.246.18.98:4661

218.78.211.62:4661

207.44.142.33:4242

64.246.16.11:4661

205.209.176.220:4661

80.64.179.46:4242

65.75.161.70:4661

Virus mijenja sadržaj u datoteci hosts pokušavajući blokirati mrežno unapređenje antivirusnih programa:

127.0.0.1 www.avp.com

127.0.0.1 www.viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 www.symantec.com

127.0.0.1 networkassociates.com

127.0.0.1 secure.nai.com

127.0.0.1 downloads1.kaspersky-labs.com

127.0.0.1 downloads2.kaspersky-labs.com

127.0.0.1 downloads3.kaspersky-labs.com

127.0.0.1 downloads4.kaspersky-labs.com

127.0.0.1 downloads-us1.kaspersky-labs.com

127.0.0.1 downloads-eu1.kaspersky-labs.com

127.0.0.1 kaspersky-labs.com

127.0.0.1 www.networkassociates.com

127.0.0.1 us.mcafee.com

127.0.0.1 f-secure.com

127.0.0.1 avp.com

127.0.0.1 www.sophos.com

127.0.0.1 sophos.com

127.0.0.1 www.ca.com

127.0.0.1 ca.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 symantec.com

127.0.0.1 mast.mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 update.symantec.com

127.0.0.1 nai.com

127.0.0.1 www.nai.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 customer.symantec.com

127.0.0.1 rads.mcafee.com

127.0.0.1 trendmicro.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.mcafee.com

127.0.0.1 mcafee.com

127.0.0.1 viruslist.com

127.0.0.1 www.my-etrust.com

127.0.0.1 download.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 kaspersky.com

127.0.0.1 www.trendmicro.com

Izvor: http://www.viruslibrary.com/

[Lista]

Brzi linkovi

Politika korištenja helpdeska
Paketi
Savjeti o sigurnosti

	Ovu uslugu CARNeta realizira Sveučilišni računski centar Sveučilišta u Zagrebu
	Copyright ©2005. CARNet. Sva prava zadržana. Impressum. Mail to sys-portal@CARNet.hr