09.09.2012, 18:22
morphiusz napisał(a):Nowy rootkit0access
Treść widoczna jedynie dla zarejestrowanych użytkowników
Rootkit nie ale na pewno Sirefef # ZeroAccess Recycler
Kod:
[ General information ]
* File name: c:\users\tachion\desktop\za2012-09-09\isvsys32.exe
[ Changes to filesystem ]
* Creates hidden folder C:\$Recycle.Bin\S-1-5-21-3472963589-1445494785-4036928140-1000\$a07b3b8a720fb22d85569404c0ece7f5
* Creates file (hidden) C:\$Recycle.Bin\S-1-5-21-3472963589-1445494785-4036928140-1000\$a07b3b8a720fb22d85569404c0ece7f5\@
* Creates file (hidden) C:\$Recycle.Bin\S-1-5-21-3472963589-1445494785-4036928140-1000\$a07b3b8a720fb22d85569404c0ece7f5\n
[ Changes to registry ]
* Creates value "ThreadingModel=Both" in key HKEY_CURRENT_USER\software\classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
* Creates value "(Default)=C:\$Recycle.Bin\S-1-5-21-3472963589-1445494785-4036928140-1000\$a07b3b8a720fb22d85569404c0ece7f5\n." in key HKEY_CURRENT_USER\software\classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
[ Network services ]
* Queries DNS promos.fling.com
* C:\Users\tachion\Desktop\ZA2012-09-09\isvsys32.exe Connects to "208.91.207.10" on port 80 (TCP - HTTP).
* C:\Users\tachion\Desktop\ZA2012-09-09\isvsys32.exe Connects to "213.108.252.185" on port 80 (TCP - HTTP).
[ Process/window/string information ]
* Enables privilege SeDebugPrivilege.
* Creates process "C:\Windows\system32\cmd.exe,(null),(null)".
* Injects code into process "c:\windows\system32\cmd.exe".