FeedTR/Dldr.Dogkild.U
Fecha de creación: 26/01/2010
Clase: Troyano
SubClase: Downloader
En circulación (ITW): Sí
Número de infecciones comunicadas: Bajo
Potencial de propagación: Medio-bajo
Potencial dañino: Medio
Fichero estático: Sí
Tamaño: 25.076 Bytes
Suma de control MD5: 68047ed2c60277085b52ad5c619ae73b
Versión del IVDF: 7.10.03.71
General Método de propagación:
• Autorun feature (es)
•Mcafee: W32/Autorun.worm.c
•Sophos: Troj/KillB-Gen
•Panda: W32/Autorun.JSB
•Eset: Win32/AutoRun.KillAV.E
•Bitdefender: Trojan.Downloader.Agent.AAWS
Plataformas / Sistemas operativos:
• Windows 2000
• Windows XP
• Windows 2003
Efectos secundarios:
• Descarga un fichero dañino
• Suelta ficheros dañinos
• Modificaciones en el registro
Ficheros Se copia a sí mismo en la siguiente ubicación:
• \ZXO.PIF
Elimina los siguientes ficheros:
• %WINDIR%\Fonts\pci.sys
• C:\dianlw.dll
• %WINDIR%\Fonts\cauin.sys
Crea los siguientes ficheros:
– \AUTORUN.INF Este es un fichero de texto que no presenta riesgo alguno e incluye el siguiente contenido:
•
– %TEMPDIR%\dll24.tmp Los análisis adicionales indicaron que este fichero es también viral. Detectado como: Worm/Autorun.bbmu
– C:\dianlw.dll Los análisis adicionales indicaron que este fichero es también viral. Detectado como: TR/Dldr.Geral.mwu.1
– %WINDIR%\Fonts\cauin.sys Los análisis adicionales indicaron que este fichero es también viral. Detectado como: TR/Rootkit.Gen
– %WINDIR%\Fonts\pci.sys Los análisis adicionales indicaron que este fichero es también viral. Detectado como: TR/Dldr.Geral.mwj
Intenta descargar un fichero:
– La dirección es la siguiente:
• http://y.moneyinfom.com/**********
Intenta ejecutar los ficheros siguientes:
– Ejecuta uno de los ficheros siguientes:
• “%SYSDIR%\rundll32.exe” C:\dianlw.dll,RKTV
– Ejecuta uno de los ficheros siguientes:
• cmd /c sc config avp start= disabled
– Ejecuta uno de los ficheros siguientes:
• sc config avp start= disabled
Registro Añade las siguientes claves del registro para ejecutar el servicio al iniciar el sistema:
– [HKLM\SYSTEM\CurrentControlSet\Services\cauin]
• “DisplayName”=”cauin”
• “ErrorControl”=dword:0×00000001
• “ImagePath”=”\??\%WINDIR%\fonts\cauin.sys”
• “Start”=dword:0×00000003
• “Type”=dword:0×00000001
Añade las siguientes claves al registro:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Frameworkservice.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360sd.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AutoRunKiller.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AutoRun.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kav32.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\VPTRAY.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ravservice.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccEvtMgr.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rfwstub.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonxp.KXP]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwProxy.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsMain.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\GuardField.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcshield.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kavstart.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ANTIARP.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\krnl360svc.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Regedit.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RAV.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\VsTskMgr.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Nod32kui.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ast.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREngLdr.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVWSC.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\arpfw.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RSTray.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.EXE]
• “debugger”=”ntsd -d”
>
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360safebox.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Mmsk.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ArSwp.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360rpt.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RAVTRAY.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwmain.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kwatch.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\GFUpd.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\naPrdMgr.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KpfwSvc.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ScanFrm.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360safe.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASARP.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Navapsvc.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360upp.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ekrn.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Runiep.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\LiveUpdate360.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360safeup.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WOPTILITIES.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\VPC32.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360rp.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kissvc.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.KXP]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ZhuDongFangYu.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\egui.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safeboxTray.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KSWebShield.EXE]
• “debugger”=”ntsd -d”
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.EXE]
• “debugger”=”ntsd -d”
Modifica la siguiente clave del registro:
Varias opciones de configuración en Explorer:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Nuevo valor:
• “CheckedValue”=dword:0×00000002
Datos del fichero Programa de compresión de ejecutables:
Para agravar la detección y reducir el tamaño del fichero, emplea un programa de compresión de ejecutables.
Fuentes
- avira.com
Sponsored Links
Publicidad
