Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > the virus to be related > Content
Hot Articles
Worm.Win32.AutoRun.eee a
Trojan-Downloader.Win32.
TalkTalk selects F-Secur
The machine dog presents
The resistance kills the
Trojan-PSW.Win32.OnLineG
Trojan-Downloader.Win32.
How does the Trojan Hors
Copperfasten Mail Firewa
EH20 compact escape hood
DeviceWall 5.0 extends U
Everybody may kill the p
Careful ^hard disk devi
Trojan-GameThief.Win32.O
Trojan-PSW.Win32.QQPass.
Recommend Articles
Trojan-PSW.Win32.QQPass.
The machine dog presents
Everybody may kill the p
Trojan-Dropper.Win32.Sma
How does the Trojan Hors
The resistance kills the
Careful ^hard disk devi
Trojan-PSW.Win32.OnLineG
Jinshan virus early warn
Under Professor differen
Trojan-Downloader.Win32.
08 year the first half o
Win32.Troj.OnlineGamesT.
Worm.Win32.AutoRun.eee a
07.13 viral early warnin
New Articles
EXC ears solo work safet
Comodo Internet Security
Sality polymorphic virus
Sicherheitsma?measures s
Speedy Hire used ScanSaf
The Tri-Air Developments
Gro?Britain and France a
Law enforcement is catch
The game is a very attra
Most of the new threats
Sality polymorphic virus
X6 VirusBarrier antiviru
Device Control protects
Workers anf?lliger for p
Cyber criminals use vuln
Trojan-Downloader.Win32.Small.xwr analysis
  Add date: 07/28/2008   Publishing date: 07/28/2008   Hits: 579
Total 4 pages, Current page:1, Jump to page:
 
Viral label:
Viral name: Trojan-Downloader.Win32.Small.xwr
Viral type: Wooden horse
Document MD5: FEFEC24CF9C0E4D1E26498A09D7ED159
Public scope: Completely public
Harm rank: 3
Document length: Adds the shell latter 9,728 bytes to peel off the shell the latter 41,984 bytes
Infection system: Windows98 above edition
Development kit: Borland Delphi 6.0 - 7.0
Adds the shell type: UPX 0.89.6 - 1.02/1.05 - 1.24
Viral description:
  This virus for downloading class wooden horse, after viral movement, derivation virus document DesktopWin.dll to %Windir%
Under \ AppPatch; The additional registry item, founds the CLSID value, the increase start item, in
Under the ShellServiceObjectDelayLoad key increases the DesktopWin key value, when system initiation uses
The Explorer.exe advancement autoloading virus module, and searches under this whether to have the JavaView key value, if exists,
Then deletion; Transfers rundll32.exe by the command line way, founds %Windir% by rundll32.exe
\ AppPatch \ AclLayer.dll document; After this virus carries out own code, will finish own advancement, in
%System32% grows unxxx.bat, the goal is to delete this viral document and oneself; The linked network, downloads in a big way
Measures the viral document and moves in this aircraft.
Behavioral analysis:
Local behavior:
1st, after document movement, will release the following document:
    %Windir% \ AppPatch \ AclLayer.dll     9,728 bytes
    %Windir% \ AppPatch \ DesktopWin.dll    14,336 bytes
2nd, additional registry:
    
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID
    \ {DA191DE0-AA86-4ED0-4B87-292A3D48BE99}
    \ InProcServer32]
    Registration tabular value: “@”
    Type: REG_SZ
    String of character: “C:\WINDOWS\AppPatch\DesktopWin.dll”
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID
    \ {DA191DE0-AA86-4ED0-4B87-292A3D48BE99}
    \ InProcServer32]
    Registration tabular value: “ThreadingModel”
    Type: REG_SZ
    String of character: “Apartment”
    Description: Registers the CLSID value
    
    [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
    \ Windows \ CurrentVersion
    \ ShellServiceObjectDelayLoad]
    Registration tabular value: “DesktopWin”
    Type: REG_SZ
    String of character: “{DA191DE0-AA86-4ED0-4B87-292A3D48BE99}”
    Description: When system initiation uses the Explorer.exe advancement autoloading virus module
    
3rd, in [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion
  \ ShellServiceObjectDelayLoad] under the key searches whether to have JavaView, if has this item,
  Then deletion.
4th, transfers rundll32.exe by the command line way, founds by rundll32.exe
  %Windir% \ AppPatch \ AclLayer.dll document.
5th, when after this virus carries out own code, will finish own advancement, in %System32% grew unxxx.bat,

 
Other pages: : 1 * 2 * 3 * 4 * Next>>
Prev:Trojan-PSW.Win32.QQPass.cdw analysis Next:The auspicious star company on July 08 issued that the daily computer virus and the wooden horse dis

Comment:

Category: Home > the virus to be related
Home