31.08.2012, 20:05
Mam ciekawą informacje na temat FakeAV - Win 8 Security Systemgadzina jedna posiada i ładuje rootkita bardzo ciekawe posunięcie<!-- s--> <!-- s-->
log wykonania i w nim zaznaczony na czerwono rootkit
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\consoletracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\filedirectory = 2500770069006e0064006900720025005c00740072006100630069006e0067000000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\filetracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\maxfilesize = 00100000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\consoletracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\filedirectory = 2500770069006e0064006900720025005c00740072006100630069006e0067000000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\filetracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\maxfilesize = 00100000
Checked for debuggers
Checked if user is admin
Code injection in process: c:\xx\tachion\defaultbox\user\current\appdata\local\826722157075258d.exe
Code injection in process: c:\windows\system32\cmd.exe
Created a mutex named: 5db47c90089f0685
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created a mutex named: Local\IESQMMUTEX_0_274
Created a mutex named: MSIMGSIZECacheMutex
Created a service named: 826722157075258d.exe
Created process: (null),C:\Users\tachion\AppData\Local\826722157075258d.exe,(null)
Created process: (null),cmd.exe /C del /Q /F "C:\Users\tachion\AppData\Local\Temp\99c60103.tmp",(null)
Defined file type created in Windows folder: C:\Windows\system32\drivers\14b1847.sys
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83PVY8DV\13[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83PVY8DV\14[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\alert_reg[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\index[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\scripts[1] .js
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWGMIL5P\alert_danger[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWGMIL5P\serial[1] .html
Defined file type created: C:\Users\tachion\Desktop\malware\Fake\flash.exe
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\DisplayName = 826722157075258d.exe
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\ImagePath = C:\Windows\system32\drivers\ 14b1847.sys
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\Start = 00000001
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\Type = 00000001
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\826722157075258d.exe = C:\Users\tachion\AppData\Local\826722157075258d.exe
Got user name information
Got volume information
Hide file from user: C:\Users\tachion\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Hide file from user: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
IE settings change: user\current\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\* = 00000001
IE settings change: user\current\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range = 127.0.0.1
Internet connection: C:\x\tachion\xx\user\current\AppData\Local\826722157075258d.exe Connects to "31.184.244.59" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Loaded a system driver named: próba ładowania systemowego sterownika 14b1847
Opened a service named: FontCache
Opened a service named: RASMAN
Opened a service named: Sens
Query DNS
Started a service[/code]
log wykonania i w nim zaznaczony na czerwono rootkit
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\consoletracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\filedirectory = 2500770069006e0064006900720025005c00740072006100630069006e0067000000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\filetracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasapi32\maxfilesize = 00100000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\consoletracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\filedirectory = 2500770069006e0064006900720025005c00740072006100630069006e0067000000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\filetracingmask = ffff0000
Automated Deployment Services (ADS) change: machine\software\microsoft\tracing\826722157075258d_rasmancs\maxfilesize = 00100000
Checked for debuggers
Checked if user is admin
Code injection in process: c:\xx\tachion\defaultbox\user\current\appdata\local\826722157075258d.exe
Code injection in process: c:\windows\system32\cmd.exe
Created a mutex named: 5db47c90089f0685
Created a mutex named: Local\!PrivacIE!SharedMemory!Mutex
Created a mutex named: Local\IESQMMUTEX_0_274
Created a mutex named: MSIMGSIZECacheMutex
Created a service named: 826722157075258d.exe
Created process: (null),C:\Users\tachion\AppData\Local\826722157075258d.exe,(null)
Created process: (null),cmd.exe /C del /Q /F "C:\Users\tachion\AppData\Local\Temp\99c60103.tmp",(null)
Defined file type created in Windows folder: C:\Windows\system32\drivers\14b1847.sys
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83PVY8DV\13[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83PVY8DV\14[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\alert_reg[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\index[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\scripts[1] .js
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWGMIL5P\alert_danger[1] .html
Defined file type created: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWGMIL5P\serial[1] .html
Defined file type created: C:\Users\tachion\Desktop\malware\Fake\flash.exe
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\DisplayName = 826722157075258d.exe
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\ImagePath = C:\Windows\system32\drivers\ 14b1847.sys
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\Start = 00000001
Defined registry AutoStart location created or modified: machine\System\CurrentControlSet\Services\14b1847\Type = 00000001
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\826722157075258d.exe = C:\Users\tachion\AppData\Local\826722157075258d.exe
Got user name information
Got volume information
Hide file from user: C:\Users\tachion\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
Hide file from user: C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
IE settings change: user\current\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\* = 00000001
IE settings change: user\current\software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1\:range = 127.0.0.1
Internet connection: C:\x\tachion\xx\user\current\AppData\Local\826722157075258d.exe Connects to "31.184.244.59" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Loaded a system driver named: próba ładowania systemowego sterownika 14b1847
Opened a service named: FontCache
Opened a service named: RASMAN
Opened a service named: Sens
Query DNS
Started a service[/code]