+
1 2 12
1 10 16
  1. #1
    dima75       dima75
    04.11.2007
    143
    ()
    0
    : 0 (: 0).

     , services.exe

    services.exe(_).
    : :\WINDOWS.
    : . Starter'e - .
    .
    http://virustotal.com/ru
    :
    : 8/32 (25%) 
        
    AhnLab-V3 2007.12.26.10 2007.12.26 - 
    AntiVir 7.6.0.46 2007.12.25 TR/Crypt.ULPM.Gen 
    Authentium 4.93.8 2007.12.26 - 
    Avast 4.7.1098.0 2007.12.25 - 
    AVG 7.5.0.516 2007.12.25 - 
    BitDefender 7.2 2007.12.26 - 
    CAT-QuickHeal 9.00 2007.12.25 - 
    ClamAV 0.91.2 2007.12.26 - 
    DrWeb 4.44.0.09170 2007.12.26 - 
    eSafe 7.0.15.0 2007.12.25 suspicious Trojan/Worm 
    eTrust-Vet 31.3.5400 2007.12.24 - 
    Ewido 4.0 2007.12.26 - 
    FileAdvisor 1 2007.12.26 - 
    Fortinet 3.14.0.0 2007.12.26 - 
    F-Prot 4.4.2.54 2007.12.25 W32/Hupigon.D.gen!Eldorado 
    F-Secure 6.70.13030.0 2007.12.26 - 
    Ikarus T3.1.1.15 2007.12.26 - 
    Kaspersky 7.0.0.125 2007.12.26Heur.Trojan.Generic 
    McAfee 5192 2007.12.24 BackDoor-AVW 
    Microsoft 1.3109 2007.12.26 - 
    NOD32v2 2747 2007.12.25 - 
    Norman 5.80.02 2007.12.26 - 
    Panda 9.0.0.4 2007.12.25 Suspicious file 
    Prevx1 V2 2007.12.26 - 
    Rising 20.24.21.00 2007.12.26 - 
    Sophos 4.24.0 2007.12.26 Mal/Emogen-N 
    Sunbelt 2.2.907.0 2007.12.21 - 
    Symantec 10 2007.12.26 - 
    TheHacker 6.2.9.168 2007.12.22 - 
    VBA32 3.12.2.5 2007.12.24 - 
    VirusBuster 4.3.26:9 2007.12.26 - 
    Webwasher-Gateway 6.6.2 2007.12.26Trojan.Crypt.ULPM.Gen 
      
    File size: 349696 bytes 
    MD5: c0683956561d4d644d3325c59bfda517 
    SHA1: 77e9842a018dbd1f3393565448db9c594c2663e2 
    PEiD: -
    ..?( )
    : , , , - . . ( )

  2. #2
    Kaspersky Gold Beta Test pDanil2006       pDanil2006
    06.09.2007
    1,109
    ()
    0
    : 0 (: 0).
    ...
    .
    Kaspersky Gold Beta Testers Team

  3. #3
    igor1533   igor1533   igor1533   igor1533     igor1533
    25.09.2006
    -->
    5,785
    ()
    0
    : 0 (: 0).

    pDanil2006
    ??...
    ...

  4. #4
    dima75       dima75
    04.11.2007
    143
    ()
    0
    : 0 (: 0).

    / :\WINDOWS AVZ( ).
    :
       AVZ  4.29 
       27.12.2007 10:48:46 
     :  - 138934,  - 2,   - 55,   12.12.2007 10:43 
      : 371 
      : 9 
        : 66967 
      :    
     :  
     Windows: 5.1.2600, Service Pack 2 ; AVZ     
     :  
    1.  RootKit  ,   API 
    1.1   API,   UserMode 
      kernel32.dll,      .text 
      ntdll.dll,      .text 
      user32.dll,      .text 
     user32.dll:ChangeDisplaySettingsExA (34) ,  APICodeHijack.JmpTo[100924B2] 
     user32.dll:ChangeDisplaySettingsExW (35) ,  APICodeHijack.JmpTo[100924DE] 
     user32.dll:EndTask (202) ,  APICodeHijack.JmpTo[1009216E] 
     user32.dll:ExitWindowsEx (226) ,  APICodeHijack.JmpTo[100920EA] 
     user32.dll:SetForegroundWindow (600) ,  APICodeHijack.JmpTo[10092116] 
     user32.dll:SetWindowPos (644) ,  APICodeHijack.JmpTo[10092142] 
      advapi32.dll,      .text 
      ws2_32.dll,      .text 
      wininet.dll,      .text 
      rasapi32.dll,      .text 
      urlmon.dll,      .text 
      netapi32.dll,      .text 
    1.2   API,   KernelMode 
        
     SDT  (RVA=082B80) 
      ntoskrnl.exe      804D7000 
       SDT = 80559B80 
       KiST = 804E2D20 (284) 
     NtAssignProcessToJobObject (13)  (805A4567->F6BD03F0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtClose (19)  (805675D9->F6BBC0E0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtConnectPort (1F)  (80598C34->F6BD1BFC),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateFile (25)  (8057164C->F6BB6C60),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateKey (29)  (8056F063->F6BC2C70),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateProcess (2F)  (805B3543->F6BCBDB0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateProcessEx (30)  (805885D3->F6BCC5E0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateSection (32)  (80564B1B->F6BB5E00),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateSymbolicLinkObject (34)  (805A27B0->F6BC2A30),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtCreateThread (35)  (8057F262->F6BCAAA0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtDeleteFile (3E)  (805D8CF7->F6BC19B0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtDeleteKey (3F)  (8059D6BD->F6BC4150),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtDeleteValueKey (41)  (80597430->F6BC8CE0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtMakeTemporaryObject (69)  (805A2C6E->F6BC22B0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtOpenFile (74)  (805715E7->F6BBAF00),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtOpenKey (77)  (805684D5->F6BC3B00),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtOpenProcess (7A)  (8057459E->F6BCE250),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtOpenSection (7D)  (805766CC->F6BB6590),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtOpenThread (80)  (80597C0A->F6BCD8B0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtProtectVirtualMemory (89)  (8057494D->F6BD1350),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtQueryDirectoryFile (91)  (80574DAD->F6BBCDA0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtQueryKey (A0)  (8056F473->F6BC4BD0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtQueryValueKey (B1)  (8056B9A8->F6BC5320),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtReplaceKey (C1)  (8064D892->F6BC6610),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtRestoreKey (CC)  (8064C3B0->F6BC8580),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSaveKey (CF)  (8064C457->F6BC76D0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSaveKeyEx (D0)  (8064C4EF->F6BC7E20),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSecureConnectPort (D2)  (80585D7D->F6BD256C),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSetContextThread (D5)  (8062C85B->F6BCFDD0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSetInformationFile (E0)  (80579E7E->F6BBDF40),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtSetValueKey (F7)  (80575527->F6BC5AA0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtTerminateProcess (101)  (8058AE1E->F6BCEC10),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtTerminateThread (102)  (8057E97C->F6BCF5A0),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     NtWriteVirtualMemory (115)  (8057C123->F6BD0B40),  C:\WINDOWS\system32\DRIVERS\SandBox.sys,     
     : 284, : 34, : 0 
    1.3  IDT  SYSENTER 
        1 
      IDT  SYSENTER  
    1.4      
       ,       AVZPM 
    2.   
       : 18 
       : 244 
    c:\windows\system32\winkey.dll >>>>> Backdoor.Win32.Prorat.ae 
       
    3.   
    C:\WINDOWS\system32\winkey.dll >>>>> Backdoor.Win32.Prorat.ae 
    C:\WINDOWS\system32\reginv.dll >>>>> Backdoor.Win32.Prorat.s 
    4.  Winsock Layered Service Provider (SPI/LSP) 
      LSP .    
    5.    // (Keylogger,  DLL) 
    C:\WINDOWS\system32\winkey.dll -->   Keylogger   DLL 
    C:\WINDOWS\system32\winkey.dll>>>  : 
      1.   :  
      2. ,       
      3.    
      4.     
      5.  ASCII     
    C:\WINDOWS\system32\winkey.dll>>> :    99.93%      / 
     :     ,      (  FAQ), ..    DLL- 
    6.    TCP/UDP,    
        
    7. c   
          AppInit_DLLs: "c:\progra~1\agnitum\outpos~1\wl_hook.dll" 
      Winlogon\Shell,     "explorer.exe c:\windows\system32\fservice.exe" 
    >>> C:\WINDOWS\services.exe :       (  ) 
      
    8.    
    >> :     RemoteRegistry ( ) 
    >> :     TermService ( ) 
    >> :     SSDPSRV (  SSDP) 
    >> :     Alerter () 
    >> :     mnmsrvc (NetMeeting Remote Desktop Sharing) 
    >> :     RDSessMgr (      ) 
    > :   -           (,     ...)! 
    >> :     CDROM 
    >> :       (C$, D$ ...) 
    >> :       
      
    9.      
     >>    SCR  
     >>    REG  
     >>      
      
     : 27818,   : 21042,    3,  - 0
    , , , , ( AVZ )
    :
    C:\WINDOWS\system32\DRIVERS\SandBox.sys   4    KernelMode 
    c:\windows\system32\winkey.dll   1    Backdoor.Win32.Prorat.ae 
    C:\WINDOWS\system32\winkey.dll   1    Backdoor.Win32.Prorat.ae 
    C:\WINDOWS\system32\reginv.dll   1    Backdoor.Win32.Prorat.s 
    C:\WINDOWS\system32\winkey.dll   5     Keylogger   DLL 
    C:\WINDOWS\services.exe   3    :       (  ).

  5. #5
    dima75       dima75
    04.11.2007
    143
    ()
    0
    : 0 (: 0).

     ..?

    pDanil2006
    ...
    , . , (. ):

  6. #6
    Kaspersky Gold Beta Test pDanil2006       pDanil2006
    06.09.2007
    1,109
    ()
    0
    : 0 (: 0).

    .... ...


    igor1533
    ??...
    , , ...
    ...
    .
    Kaspersky Gold Beta Testers Team

  7. #7
    dima75       dima75
    04.11.2007
    143
    ()
    0
    : 0 (: 0).

    pDanil2006
    .... ...
    ...? ( , ...)
    ----------------------
    - system32.rar :\windows\system32
    - .
    - WINRAR'e / (Ctrl+P). 2- (dima), OK.
    , , ... .
    ---------------------
    , :http://file.sibnet.ru/. . . . . ( )

  8. #8
    Kaspersky Gold Beta Test pDanil2006       pDanil2006
    06.09.2007
    1,109
    ()
    0
    : 0 (: 0).

    dima75, ?
    ...
    .
    Kaspersky Gold Beta Testers Team

  9. #9
    dima75       dima75
    04.11.2007
    143
    ()
    0
    : 0 (: 0).

    pDanil2006
    dima75, ?
    .
    ..? ( )
    ------------------------
    , , :
    1) :
    C:\WINDOWS\system32\winkey.dll >>>>> Backdoor.Win32.Prorat.ae
    C:\WINDOWS\system32\reginv.dll >>>>> Backdoor.Win32.Prorat.s
    DrWeb CurIt.
    2) :
    AVZ( ) + (Hijackthis)
    ------------------------
    : http://forum.adslclub.ru/viewtopic.php?p=342498#342498(5- .)

  10. #10
    Kaspersky Gold Beta Test pDanil2006       pDanil2006
    06.09.2007
    1,109
    ()
    0
    : 0 (: 0).

    ....
    ...
    .
    Kaspersky Gold Beta Testers Team