nga merusak kompi ente tapi......cuman nyolong password / serial number etc
http://www.securelist.com/en/descrip...n32.Agent.dvyh
Trojan-Dropper.Win32.Agent.dvyh
This Trojan installs and launches other programs on the infected computer without the user's knowledge. It is a Windows .Net application (PE EXE file). It is 3 889 352 bytes in size.
Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:
%Temp%\KasKeygenRevised.exe
This file is 479 232 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.VB.aaen.
%Temp%\1234.exe
This file is 2 196 545 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.dvyg.
The Trojan then launches the extracted files for execution and ceases running. The file "KasKeygenRevised.exe", which is detected as Trojan.Win32.VB.aaen, imitates key generation for Kaspersky Lab products such as: Kaspersky Anti-Virus 2010, Kaspersky Internet Security 2010, Kaspersky Simple Scan 2010. The program's main windows look like this:
The file "1234.exe", which is detected as Trojan-Dropper.Win32.Agent.dvyg, has the following payload:
Once launched, the Trojan decrypts and extracts the following files from its body to the current user's temporary directory:
%Temp%\instant.exe
This file is 1 116 397 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.MSIL.Agent.aor.
%Temp%\server.exe
This file is 289 792 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan.Win32.Llac.gfu.
The Trojan then launches the extracted files for execution and ceases running. The file "instant.exe", which is detected as Trojan.MSIL.Agent.aor, has the following payload:
The Trojan executes a functionality that prevents the demonstration of its payload when launched in the following virtual environments:
VMWare
VirtualPC
VirtualBox
Sandboxie
This Trojan program is designed to steal user registration information for the following software products:
The collected data is saved to the following file:
%Temp%\TMP.dat
and sent to the malicious user's email address on the "@gmail.com" server. To determine the infected computer's IP address, the Trojan accesses the following service:
www.whatismyip.com
During its operations, the Trojan extracts from its body the following files:
%WorkDir%\System.Data.SQLite.DLL (886 272 bytes)
%Temp%\melt.tmp (6 bytes)
The file "System.Data.SQLite.DLL" is an ADO.NET provider assembly for working with SQLite. The following string is entered into the file "melt.tmp":
melt
The Trojan modifies the file:
%System%\drivers\etc\hosts
entering the following strings into it:
##Do not touch this file, changing it will cause SERIOUS damage to
your computer
127.0.0.1
www.rsbot.org/vb/
127.0.0.1 rsbot.org/vb/
127.0.0.1 85.25.184.47
127.0.0.1
www.rsbot.com
127.0.0.1
www.rsbot.com
127.0.0.1
www.rsbot.org
127.0.0.1
www.rsbot.org
127.0.0.1 virustotal.com
127.0.0.1
www.virustotal.com
127.0.0.1
www.virusscan.jotti.org/
127.0.0.1
www.virusscan.jotti.org/en
127.0.0.1
www.virusscan.jotti.org/en
127.0.0.1
www.rsbots.net
127.0.0.1 rsbots.net
127.0.0.1
www.RSbots.net
127.0.0.1
www.AutoFighter.org
127.0.0.1
www.RSBotting.com
127.0.0.1
www.RSTrainers.com
127.0.0.1
www.CodeSpace.net
127.0.0.1
www.RsAutoCheats.com
127.0.0.1
www.XxBots.net
127.0.0.1
www.AutoFarmer.org
127.0.0.1
www.kMiner.org
Thereby, access to the listed resources is blocked.
The file "server.exe", which is detected as Trojan.Win32.Llac.gfu, has the following payload:
Installation: Once launched, the Trojan creates a copy of its file in the Windows system directory with the name
%System%\install\server.exe
In order to ensure that it is launched automatically each time the system is restarted, the Trojan adds a link to its executable file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\install\server.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\
Explorer\Run]
"Policies" = "%System%\install\server.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\install\server.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{VOC6T861-UAYF-N871-Y74N-64IK6MMG1C83}]
"StubPath" = "%System%\install\server.exe Restart"
Payload:
When any of the following conditions are fulfilled, the Trojan ceases running:
Detection of the following libraries in its address space:
dbghelp.dll
sbiedll.dll
Launching of the Trojan on a virtual Vmware machine
Presence of the process:
VBoxService.exe
thereby the Trojan prevents its body being launched on a virtual Oracle Corporation machine
If the username on the computer is:
CurrentUser
If the value of the system registry key parameter
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProductId" =
is one of the following:
76487-337-8429955-22614
76487-644-3177037-23510
55274-640-2673064-23950
In addition, the Trojan employs various anti-debugging hooks.
During its execution, it creates unique identifiers with the names:
_x_X_UPDATE_X_x_
_x_X_PASSWORDLIST_X_x_
_x_X_BLOCKMOUSE_X_x_
0BP3RCBQG7BM1V
0BP3RCBQG7BM1V_PERSIST
It creates a file in the current user's Windows temporary directory:
%Temp%\XX—XX--XX.txt — 227744 bytes
This file contains a decrypted configuration file for the Trojan's operations, as well as an executable file, which is injected into the address space of the process:
explorer.exe
The Trojan launches the process for the user's default browser. Information about the browser is obtained from the registry key:
[HKCR\http\shell\open\command]
Malicious code is also injected into the browser process.
A file is injected into the address space of the processes in order to restore the Trojan's malicious file and execute the commands obtained from the malicious user's server:
dc-hac***o-ip.info:3737
The malicious user can obtain the following information from the user's computer:
List of files on the user's computer;
List of open windows;
List of launched processes;
List of launched services;
Information about the equipment in the user's computer;
Information about the registry on the user's computer;
Information about installed programs;
List of open ports;
It has a function for browsing the user's desktop;
Web camera display;
Sound from the user's microphone;
Executing a keylogger function to obtain keys pressed on the keyboard and mouse;
Passwords saved in browsers; In addition, it can send commands to execute the following actions:
Launch Socks Proxy and HTTP Proxy servers;
Open various pages in the user's browser;
Download various files to the user's computer and launch them for execution;
Obtain access to the command line;
Execute a search for files on the user's computer;
Obtain access to the clipboard;
Obtain access to chat during use of the application Windows Live Messenger;
Change the malicious user's server address;
Update settings;
Relaunch the malicious file;
Cease its own execution and delete its files.
This malicious file was created using the program "CyberGate RAT v1.04.8", which is a utility for remote administration. The developers' website:
http://website.cybe***-rat.org
Originally Posted by gegehare
Jadi momod ga usa ngemis cendol.
Share This Thread