Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > the virus to be related > Content
Hot Articles
Worm.Win32.AutoRun.eee a
Trojan-Downloader.Win32.
TalkTalk selects F-Secur
The machine dog presents
The resistance kills the
Trojan-PSW.Win32.OnLineG
Trojan-Downloader.Win32.
How does the Trojan Hors
Copperfasten Mail Firewa
EH20 compact escape hood
DeviceWall 5.0 extends U
Everybody may kill the p
Careful ^hard disk devi
Trojan-GameThief.Win32.O
Trojan-PSW.Win32.QQPass.
Recommend Articles
Trojan-PSW.Win32.QQPass.
The machine dog presents
Everybody may kill the p
Trojan-Dropper.Win32.Sma
How does the Trojan Hors
The resistance kills the
Careful ^hard disk devi
Trojan-PSW.Win32.OnLineG
Jinshan virus early warn
Under Professor differen
Trojan-Downloader.Win32.
08 year the first half o
Win32.Troj.OnlineGamesT.
Worm.Win32.AutoRun.eee a
07.13 viral early warnin
New Articles
EXC ears solo work safet
Comodo Internet Security
Sality polymorphic virus
Sicherheitsma?measures s
Speedy Hire used ScanSaf
The Tri-Air Developments
Gro?Britain and France a
Law enforcement is catch
The game is a very attra
Most of the new threats
Sality polymorphic virus
X6 VirusBarrier antiviru
Device Control protects
Workers anf?lliger for p
Cyber criminals use vuln
Trojan-Downloader.Win32.Agent.feq analysis
  Add date: 07/12/2008   Publishing date: 07/12/2008   Hits: 196
Total 3 pages, Current page:1, Jump to page:
 
Viral label:

Viral name: Trojan-Downloader.Win32.Agent.feq
Viral type: Wooden horse class
Document MD5: 669A866D71C31BF4553ED2992558643C
Public scope: Completely public
Harm rank: 4
Document length: Adds the shell latter 48,684 bytes to peel off the shell the latter 193,536 bytes
Infection system: Windows98 above edition
Development kit: Microsoft Visual C++
Adds the shell type: Upack V0.37
 
Viral description:
   This virus for wooden horse class, after viral movement, in %Systme32% grows viral document atielf.dat; When user
When connects Internet, will read in atielf.dat then gain virus listing file update.txt URL, thus
Downloads and reads its information to cause the downloading virus document to move in this aircraft; Through gives the advancement which in the current system carries out to take the snapshot,
Judges whether to have the AVP.exe advancement, the existence then through the API function " SetSystemTime " the revision system time is 2001
The year, the month, the date are invariable, cause Caba the Siji expired expiration. The additional registry item, the reflection kidnaps many patterns security software, falls
Low system's security; Transfers the svchost.exe advancement load virus service; After this virus carries out own code completely, meeting
Finished own advancement, to delete oneself, the viral also random start.
 
Behavioral analysis:
 Local behavior:

1st, after document movement, will release the following document:

    %System32% \ atielf.dat     128 bytes

2nd, the foundation virus serves LEGACY_484, LEGACY_ATIXEVE29875, the numerical part is the random digit.

3rd, transfers the svchost.exe load virus service, the linked network, through reads %System32% \ atielf.dat
  Downloads virus listing file update.txt.

4th, through gives the advancement which in the current system carries out to take the snapshot, judges whether to have the AVP.exe advancement, the existence then passes
  The API function " SetSystemTime " the revision system time was in 2001, the month, the date is invariable, caused Caba Siji
  Time expiration.  
    
5th, kidnaps many patterns security software through the registry reflection:

    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
    \ Windows NT \ CurrentVersion
    \ Image File Execution Options \ the document name which is kidnapped by the reflection]
    Registration tabular value: “Debugger”
    Type: REG_SZ
    String of character: “C:\WINDOWS\system32\svchost.exe”

    Kidnaps the filename tabulation:    
    360rpt.exe, 360safe.exe, 360safebox.exe, 360tray.exe,
    adam.exe, AgentSvr.exe, AppSvc32.exe, AtiSrv.exe,
    autoruns.exe, avconsol.exe, avgrssvc.exe, AvMonitor.exe,
    avp.com, avp.exe, CCenter.exe, ccSvcHst.exe, EGHOST.exe,
    FileDsty.exe, FTCleanerShell.exe, FYFireWall.exe,
    HijackThis.exe, IceSword.exe, iparmo.exe, Iparmor.exe,

 
Other pages: : 1 * 2 * 3 * Next>>
Prev:Under Professor different viral different environment Zha Sha skill Next:08 year the first half of the year ten big virus machine dog Cheng Duwang

Comment:

Category: Home > the virus to be related
Home