 Wysłany: Czw 3:53, 10 Mar 2011 Temat postu: asic 0128 |
|
| How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan
Emails regarding an attached resume contains a trojan Bookmark and Share 1. Overview A new trojan distribution campaign by email regarding a resume were intercepted by Ax3soft, the following subjects are possible: 1. Resume attached. 2. please find enclosed. 3. Please find attached. 4. Attached please find. 5. Here?��s the file you wanted. 6. I have attached the resume. 7. The new resume is attached 8. The resume document is attached 9. Please find my CV and cover letter attached. 10. You will find the resume attached to this email. 11. Please find attached my CV for your attention. 12. I?��ve attched..I?��m encoding..the latest figures for you. 13. Replace the old resume with the new one which is attached. The email is send from the spoofed address and has the following body: Attached please find. Please take a look at the attached resume. Resume attached Replace the old resume with the new one which is attached Please find my attached CV for your attention Please review the attached resume. You will find the resume attached to this e-mail. The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe. The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32). Create files as followings: %CommonFavorites%\_favdata.dat %Temp%\TMP35073.tmp %Temp%\TMP35042.tmp %Temp%\TMP34714.tmp Created the registry key as following : * [HKEY_CURRENT_USER\Printers\Connections] o affid = ?��396?? o subid = ?��landing?�� The following internet connections wil lbe established on port 80: www.searchashamed.org mediafullups.com Two files will be downloaded from /a/ad that contains a malicious payload and here are the details. The first file is known as Mal/EncPk-LZ (Sophos): * Create files as followings: %Temp%\dfrgsnapnt.exe %Temp%\eapp32hst.dll %Temp%\topwesitjh %Temp%\wscsvc32.exe * The following processed will be created or are affected: dfrgsnapnt.exe wscsvc32.exe Several registry modifications will be done and the following URLs are used: * http://finderwid.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok * http://searchashamed.org/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok * http://mediafullunu.com/readdatagateway.php?type=stats&affid=139&subid=1&version=4.0&adwareok * http://searchashamed.org/any3/5-direct.ex * http://finderwid.org/any3/5-direct.ex * http://mediafullunu.com/any3/5-direct.ex The second file is known as Trojan.FakeAV!gen31 (Symantec),cheap supra skytops, Trojan.Win32.TDSS.beea (Kaspersky), Application.RogueAVPacker (PCTools). * Create files as followings: %Temp%\PRAGMA7e53.tmp %Temp%\PRAGMAab00.tmp %Windir%\PRAGMAvgobwwkuyu\PRAGMAc.dll %Windir%\PRAGMAvgobwwkuyu\PRAGMAcfg.ini %Windir%\PRAGMAvgobwwkuyu\PRAGMAd.sys %Windir%\PRAGMAvgobwwkuyu\PRAGMAsrcr.dat * Create directory as followings: %Windir%\PRAGMAvgobwwkuyu * The following Registry Keys were created: o HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000 o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000 o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control o HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol o HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System o HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Preferences o HKEY_CURRENT_USER\Software\Classes\.exe o HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon o HKEY_CURRENT_USER\Software\Classes\.exe\shell o HKEY_CURRENT_USER\Software\Classes\.exe\shell\open o HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command o HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas o HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command o HKEY_CURRENT_USER\Software\Classes\.exe\shell\start o HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command o HKEY_CURRENT_USER\Software\Classes\secfile o HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon o HKEY_CURRENT_USER\Software\Classes\secfile\shell o HKEY_CURRENT_USER\Software\Classes\secfile\shell\open o HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command o HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas o HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command o HKEY_CURRENT_USER\Software\Classes\secfile\shell\start o HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules * The newly created Registry Values are: o [HKEY_LOCAL_MACHINE\SOFTWARE] + f7c5da73-b4a5-4947-8f40-08f2871eb36b = "" o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] + DisableTaskMgr = 0x00000001 o [HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups] + ConvertedToLinks = 0x00000001 o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control] + *NewlyCreated* = 0x00000000 + ActiveService = "PRAGMAibadstidxb" o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000] + Service = "PRAGMAibadstidxb" + Legacy = 0x00000001 + ConfigFlags = 0x00000000 + Class = "LegacyDriver" + ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" + DeviceDesc = "PRAGMAibadstidxb" o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB] + NextInstance = 0x00000001 o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control] + *NewlyCreated* = 0x00000000 + ActiveService = "PRAGMAibadstidxb" o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000] + Service = "PRAGMAibadstidxb" + Legacy = 0x00000001 + ConfigFlags = 0x00000000 + Class = "LegacyDriver" + ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" + DeviceDesc = "PRAGMAibadstidxb" o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB] + NextInstance = 0x00000001 o [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression] + svchost.exe = 0x00000001 o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] + ProxyEnable = 0x00000000 o [HKEY_CURRENT_USER\Printers\Connections] + time = 0x00000001 o [HKEY_CURRENT_USER\Software] + 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = "" + 7bde84a2-f58f-46ec-9eac-f1f90fead080 = "" o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] + DisableTaskMgr = 0x00000001 to prevent users from starting Task Manager (Taskmgr.exe) o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command] + (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command] + (Default) = ""%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command] + (Default) = ""%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon] + (Default) = "%1" o [HKEY_CURRENT_USER\Software\Classes\.exe] + (Default) = "secfile" + Content Type = "application/x-msdownload" o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command] + (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command] + (Default) = ""%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command] + (Default) = ""%1" %*" + IsolatedCommand = ""%1" %*" o [HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon] + (Default) = "%1" o [HKEY_CURRENT_USER\Software\Classes\secfile] + (Default) = "Application" + Content Type = "application/x-msdownload" o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions] + /css/pragma/crcmds/install = "3.0" o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector] + explorer.exe = "pragmaserf" + iexplore.exe = "pragmaserf;pragmabbr" + firefox.exe = "pragmabbr" + safari.exe = "pragmabbr" + chrome.exe = "pragmabbr" + opera.exe = "pragmabbr" o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA] + affid = "391" + type = "no" + build = "no" + subid = "direct" + cmddelay = 0x00015180 o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules] + PRAGMAd = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys" + PRAGMAc = "\systemroot\PRAGMAibadstidxb\PRAGMAc.dll" + pragmaserf = "pragmaserf" + pragmabbr = "pragmabbr" o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb] + start = 0x00000001 + type = 0x00000001 + imagepath = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys" * The following Registry Values were modified: o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent] + (Default) = o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent] + (Default) = o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] + Cache = * There were registered attempts to establish connection with the remote hosts. The connection details are: Remote Host Port Number 62.122.73.242 80 91.213.157.69 80 91.213.157.72 80 * The data identified by the following URLs was then requested from the remote web server: o http://searchdisup.org/css/pragma/knock.php o http://finderwid.org/readdatagateway.php?type=stats&affid=391&subid=new02&version=4.0&adwareok o http://finderwid.org/any/391-direct.ex o http://finderunt.org/css/pragma/crcmds/main o http://finderunt.org/css/pragma/knock.php o http://finderunt.org/css/pragma/srcr.dat o http://finderunt.org/css/pragma/crcmds/install o http://finderunt.org/css/pragma/crfiles/serf o http://finderunt.org/css/pragma/crfiles/bbr 2. How-to's 1. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans,vibram shoe, it will break them and ensure your network & business security. . 2. How to Remove TR.Crypt.ZPACK.Gen Manually? * Remove the registry entries hidden by TR.Crypt.ZPACK.Gen (Free online spyware scan) If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup * It is possibly a way to load the "TR.Crypt.ZPACK.Gen" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=",mbt running shoes, so this must be carefully checked. * Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored. 3. How to Remove Trojan.FakeAV!gen31 Manually? * Remove the registry entries hidden by Trojan.Win32.Tdss.beea If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup * It is possibly a way to load the "Trojan.Win32.Tdss.beea" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked. * Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored. 4. How to Remove these trojans Instantly? Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you. 3. Appendix For more information,women spyder suit styles, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm Topics related articles: choo 1336 north faces jacket sale discount 9581 choo 9849 |
|
