tods0jshoes
Mistrz forumowej magii
Dołączył: 23 Lut 2011
Posty: 18576
Przeczytał: 0 tematów
Ostrzeżeń: 0/3
Skąd: England
Płeć: Kobieta
|
 Wysłany: Czw 3:53, 10 Mar 2011 Temat postu: asic 0128 |
|
How to Detect and Rmove the TR/Crypt.ZPACK.Gen Trojan
Emails regarding an attached resume contains a trojan
Bookmark and Share
1. Overview
A new trojan distribution campaign by email regarding a resume were intercepted by Ax3soft, the following subjects are possible:
1. Resume attached.
2. please find enclosed.
3. Please find attached.
4. Attached please find.
5. Here?��s the file you wanted.
6. I have attached the resume.
7. The new resume is attached
8. The resume document is attached
9. Please find my CV and cover letter attached.
10. You will find the resume attached to this email.
11. Please find attached my CV for your attention.
12. I?��ve attched..I?��m encoding..the latest figures for you.
13. Replace the old resume with the new one which is attached.
The email is send from the spoofed address and has the following body:
Attached please find.
Please take a look at the attached resume.
Resume attached
Replace the old resume with the new one which is attached
Please find my attached CV for your attention
Please review the attached resume.
You will find the resume attached to this e-mail.
The attachedZIP file has the name 50443cv.zip and contains the 16 kB large file cv.exe.
The trojan is known as TR/Crypt.ZPACK.Gen (Antivir), Gen:Trojan.Heur.FU.auW@a8ibIek (F-Secure), FakeAlert-DefCnt.d (McAfee), a variant of Win32/Kryptik.AJD (NOD32).
Create files as followings:
%CommonFavorites%\_favdata.dat
%Temp%\TMP35073.tmp
%Temp%\TMP35042.tmp
%Temp%\TMP34714.tmp
Created the registry key as following :
* [HKEY_CURRENT_USER\Printers\Connections]
o affid = ?��396??
o subid = ?��landing?��
The following internet connections wil lbe established on port 80:
[link widoczny dla zalogowanych]
mediafullups.com
Two files will be downloaded from /a/ad that contains a malicious payload and here are the details.
The first file is known as Mal/EncPk-LZ (Sophos):
* Create files as followings:
%Temp%\dfrgsnapnt.exe
%Temp%\eapp32hst.dll
%Temp%\topwesitjh
%Temp%\wscsvc32.exe
* The following processed will be created or are affected:
dfrgsnapnt.exe
wscsvc32.exe
Several registry modifications will be done and the following URLs are used:
* [link widoczny dla zalogowanych]
* [link widoczny dla zalogowanych]
* [link widoczny dla zalogowanych]
* [link widoczny dla zalogowanych]
* [link widoczny dla zalogowanych]
* [link widoczny dla zalogowanych]
The second file is known as Trojan.FakeAV!gen31 (Symantec),[link widoczny dla zalogowanych], Trojan.Win32.TDSS.beea (Kaspersky), Application.RogueAVPacker (PCTools).
* Create files as followings:
%Temp%\PRAGMA7e53.tmp
%Temp%\PRAGMAab00.tmp
%Windir%\PRAGMAvgobwwkuyu\PRAGMAc.dll
%Windir%\PRAGMAvgobwwkuyu\PRAGMAcfg.ini
%Windir%\PRAGMAvgobwwkuyu\PRAGMAd.sys
%Windir%\PRAGMAvgobwwkuyu\PRAGMAsrcr.dat
* Create directory as followings:
%Windir%\PRAGMAvgobwwkuyu
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control
o HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
o HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression
o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
o HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Preferences
o HKEY_CURRENT_USER\Software\Classes\.exe
o HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
o HKEY_CURRENT_USER\Software\Classes\.exe\shell
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
o HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
o HKEY_CURRENT_USER\Software\Classes\secfile
o HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
o HKEY_CURRENT_USER\Software\Classes\secfile\shell
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
o HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA
o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector
o HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb
o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE]
+ f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
+ DisableTaskMgr = 0x00000001
o [HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups]
+ ConvertedToLinks = 0x00000001
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = "PRAGMAibadstidxb"
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000]
+ Service = "PRAGMAibadstidxb"
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = "LegacyDriver"
+ ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
+ DeviceDesc = "PRAGMAibadstidxb"
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMAIBADSTIDXB]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000\Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = "PRAGMAibadstidxb"
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB\0000]
+ Service = "PRAGMAibadstidxb"
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = "LegacyDriver"
+ ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
+ DeviceDesc = "PRAGMAibadstidxb"
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMAIBADSTIDXB]
+ NextInstance = 0x00000001
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression]
+ svchost.exe = 0x00000001
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
+ ProxyEnable = 0x00000000
o [HKEY_CURRENT_USER\Printers\Connections]
+ time = 0x00000001
o [HKEY_CURRENT_USER\Software]
+ 24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""
+ 7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
+ DisableTaskMgr = 0x00000001
to prevent users from starting Task Manager (Taskmgr.exe)
o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
+ (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command]
+ (Default) = ""%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command]
+ (Default) = ""%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon]
+ (Default) = "%1"
o [HKEY_CURRENT_USER\Software\Classes\.exe]
+ (Default) = "secfile"
+ Content Type = "application/x-msdownload"
o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
+ (Default) = ""%Temp%\mscdexnt.exe" /START "%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command]
+ (Default) = ""%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command]
+ (Default) = ""%1" %*"
+ IsolatedCommand = ""%1" %*"
o [HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon]
+ (Default) = "%1"
o [HKEY_CURRENT_USER\Software\Classes\secfile]
+ (Default) = "Application"
+ Content Type = "application/x-msdownload"
o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions]
+ /css/pragma/crcmds/install = "3.0"
o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector]
+ explorer.exe = "pragmaserf"
+ iexplore.exe = "pragmaserf;pragmabbr"
+ firefox.exe = "pragmabbr"
+ safari.exe = "pragmabbr"
+ chrome.exe = "pragmabbr"
+ opera.exe = "pragmabbr"
o [HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]
+ affid = "391"
+ type = "no"
+ build = "no"
+ subid = "direct"
+ cmddelay = 0x00015180
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb\modules]
+ PRAGMAd = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys"
+ PRAGMAc = "\systemroot\PRAGMAibadstidxb\PRAGMAc.dll"
+ pragmaserf = "pragmaserf"
+ pragmabbr = "pragmabbr"
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAibadstidxb]
+ start = 0x00000001
+ type = 0x00000001
+ imagepath = "\systemroot\PRAGMAibadstidxb\PRAGMAd.sys"
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
+ (Default) =
o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
+ Cache =
* There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host Port Number
62.122.73.242 80
91.213.157.69 80
91.213.157.72 80
* The data identified by the following URLs was then requested from the remote web server:
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
o [link widoczny dla zalogowanych]
2. How-to's
1. Please update the policy b[link widoczny dla zalogowanych] knowledge of Sax2 in time, Once sax2 detects the communication of these trojans,[link widoczny dla zalogowanych], it will break them and ensure your network & business security. .
2. How to Remove TR.Crypt.ZPACK.Gen Manually?
* Remove the registry entries hidden by TR.Crypt.ZPACK.Gen (Free online spyware scan)
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup
* It is possibly a way to load the "TR.Crypt.ZPACK.Gen" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=",[link widoczny dla zalogowanych], so this must be carefully checked.
* Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.
3. How to Remove Trojan.FakeAV!gen31 Manually?
* Remove the registry entries hidden by Trojan.Win32.Tdss.beea
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup
* It is possibly a way to load the "Trojan.Win32.Tdss.beea" malicious programs, by hiding within the system WIN.INI file and the strings "run=" and "load=", so this must be carefully checked.
* Clean up "IE Temporary File folder" where the original carrier of spyware threats is likely stored.
4. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit [link widoczny dla zalogowanych] and download Malwarebytes' Anti-Malware to help you.
3. Appendix
For more information,[link widoczny dla zalogowanych], please visit [link widoczny dla zalogowanych]
Topics related articles:
[link widoczny dla zalogowanych]
[link widoczny dla zalogowanych]
[link widoczny dla zalogowanych]
Post został pochwalony 0 razy
|
|
