21.08.2013, 21:44
Rouge killer chyba 2 etapy potrzebuje na usunięcie jak się nie mylę
[Aby zobaczyć linki, zarejestruj się tutaj]
Kod:
Connected to WWW
Created files with Extended Attributes
Created process: C:\Windows\system32\cmd.exe, null, null
Defined file type created: C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\Fixed_Directory_Name\Fixed_Directory_Name\Fixed_Directory_Name\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\GoogleUpdate.exe
Defined registry AutoStart location created or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\G = "C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\dx\" h\.[\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\GoogleUpdate.exe" >
File copied itself
Hid file from user: C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\Fixed_Directory_Name\Fixed_Directory_Name\Fixed_Directory_Name\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\@
Hid file from user: C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\Fixed_Directory_Name\Fixed_Directory_Name\Fixed_Directory_Name\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\GoogleUpdate.exe
Internet connection: C:\Users\tachion\Desktop\Sirefef RLO\36a4c6a5b898de01842b005f0159b6d4.exe Connects to "108.168.255.244" on port 80 (TCP - HTTP)
Malicious category given by Adobe Malware Classifier
Queried DNS: j.maxmind.com
Traces of Max++
[ General information ]
* File name: C:\Users\tachion\Desktop\Sirefef RLO\36a4c6a5b898de01842b005f0159b6d4.exe
* File length: 152576 bytes
* File signature (PEiD): Borland Delphi 3.0 (???) *
* File signature (Exeinfo): Microsoft Visual C++ ver. ~6.0~7.10
* File type: EXE
* TLS hooks: NO
* File entropy: 7.65836 (95.7295%)
* ssdeep signature: 3072:W4EK9ruI/zSK6jhSksNaWLMDo6KrhsZYHDxoQcxaYemRSlT05tV:jEKQvpWLNVHmxaYem8Q5/
* Adobe Malware Classifier: Malicious
* Digital signature: Unsigned
* MD5 hash: 36a4c6a5b898de01842b005f0159b6d4
[ Changes to filesystem ]
* Creates file (hidden) C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\Fixed_Directory_Name\Fixed_Directory_Name\Fixed_Directory_Name\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\@
File length: 2048 bytes
File type: Unknown
MD5 hash: 5d9b419533ab1563bc8ade3db620ab04
* Creates file (hidden) C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\Fixed_Directory_Name\Fixed_Directory_Name\Fixed_Directory_Name\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\GoogleUpdate.exe
File length: 152576 bytes
File signature (PEiD): Borland Delphi 3.0 (???) *
File type: EXE
TLS hooks: NO
File entropy: 7.65836 (95.7295%)
ssdeep signature: 3072:W4EK9ruI/zSK6jhSksNaWLMDo6KrhsZYHDxoQcxaYemRSlT05tV:jEKQvpWLNVHmxaYem8Q5/
Adobe Malware Classifier: Malicious
Digital signature: Unsigned
MD5 hash: 36a4c6a5b898de01842b005f0159b6d4
[ Changes to registry ]
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{01cd38c5-acde-11e2-b67a-806e6f6e6963}
old value empty
* Creates value "G="C:\Users\tachion\AppData\Local\Google\Desktop\Install\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\dx\" h\.[\{8fffa1fc-539f-54d3-3e4f-1ff4da91a07c}\GoogleUpdate.exe" >" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=220043003A005C00550073006500720073005C00740061006300680069006F006E005C0041007000700044006100740061005C004C006F00630061006C005C0047006F006F0067006C0065005C004400650073006B0074006F0070005C0049006E007300740061006C006C005C007B00380066006600660061003100660063002D0035003300390066002D0035003400640033002D0033006500340066002D003100660066003400640061003900310061003000370063007D005C0064277822D9225C00222C202668235C002E20F9FB5B0E5C007B00380066006600660061003100660063002D0035003300390066002D0035003400640033002D0033006500340066002D003100660066003400640061003900310061003000370063007D005C0047006F006F0067006C0065005500700064006100740065002E00650078006500220020003E000000
[ Network services ]
* Queries DNS "j.maxmind.com".
* C:\Users\tachion\Desktop\Sirefef RLO\36a4c6a5b898de01842b005f0159b6d4.exe Connects to "108.168.255.244" on port 80 (TCP - HTTP).
* Downloads file from "j.maxmind.com/app/geoip.js".
[ Process/window/string information ]
* Creates files with Extended Attributes.
* Enables privilege SeRestorePrivilege.
* Enables privilege SeDebugPrivilege.
* Creates process "C:\Windows\system32\cmd.exe, null, null".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Enables process privileges.
* Sleeps 4 seconds.