Методы обнаружения вирусов

Trojan.Win32.Jorik.Buterat.dp

Detected Jul 22 2011 05:48 GMT
Released Jul 22 2011 07:27 GMT
Published Sep 20 2011 08:47 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 56832 bytes. Packed by an unknown packer. Unpacked size – around 53 kB. Written in C++.

Installation

Depending on the launch parameters, the trojan copies its body to the following file: 

%APPDATA%\netprotocol.exe
or creates a copy in the Windows system directory: 
%System%\netprotocol.exe
A system registry key is created to automatically launch the created copy each time the system is started: 
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"
If this key is not created, the trojan creates the following key: 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"
If the file was copied to the Windows system directory, the following key is created: 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol"="%System%\netprotocol.exe"
The trojan then launches the created copy for execution.


Payload

After launching, the trojan contacts the following servers to receive commands for further action: 


http://dia***sp.in
http://los***ph.com
http://kas***seuk.com
http://krex***amdx.com
It then goes into a loop, waiting for commands.

On the attacker's command, the trojan may update its executable file, loading the update from the attacker's server. It may also download the file saved in the trojan's working directory as: 

%WorkDir%\netprotdrvss
After successfully downloading the file, it is then launched for execution. Requests to the attacker's server may take the following forms:
  1. A request to notify the attacker of the successful installation of the trojan on the user's computer: 
    <serverName>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>
  2. A request to receive a command for further action by the trojan: 
    <server>/njob.php?num=<number>&rev=350
  3. A request to download the file "netprotdrvss": 
    <server>/nconfirm.php?rev=350&code=11m=2&num=<uniqueNum>

Where <serverName> is one of the above mentioned attacker's servers; <uniqueNum> is the unique number depending on the network equipment of the user's computer, for example "40401870851072".

To carry on working, the trojan creates a configuration file which is located at the following path: 

%WorkDir%\System.log
The trojan may receive the following commands from the attacker's server: 
<ZORKASITE>
<BEGUNFEED>
<REKLOSOFT>
<TEASERNET>
<SUPERPOISK>
<DIRECTST>
<LIVINETCH>
<PARKING>
<UPDATE>
<DOWNRUN>
<PRIORITYHOST>
<SETSTPAGE>
<COOKREJCT>
<DESTROY>
Depending on the command received, it may carry out the following actions:
  • "Cheat" the site visit statistics - send search requests and links to resources where the rating needs to be increased from the attacker's server.
  • Replace search results;
  • Change the default home page and search system for the following browsers: 
    Internet Explorer
Opera
Mozilla Firefox

The trojan therefore carries out the following actions:

  1. it modifies the parameter values for the following system registry keys: 
    [HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***olta.ru"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"="Webvolta"
"URL"="http://we***lta.ru/search.php?q={searchTerms}"
  2. it creates a file in the Windows system directory: 
    %System%\operaprefs_fixed.ini
    this file contains the following strings: 
    [User Prefs]
Startup Type=2
Home URL= http://we***lta.ru
  3. it modifies the following file: 
    %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js
    It records the following strings to the file: 
    user_pref("dom.disable_window_status_change", false);
user_pref("startup.homepage_override_url", "http://webvolta.ru");
user_pref("browser.startup.page", 1);
user_pref("browser.startup.homepage", "http://webvolta.ru");
user_pref("browser.search.selectedEngine", "Webvolta");
  4. it creates a file at the following pathway: 
    %APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml

The file contains the following strings: 
<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Webvolta</ShortName>
<Description>Webvolta search.</Description>
<InputEncoding>windows-1251</InputEncoding>
<Url type="text/html" method="GET" template="http://web***ta.ru/search.php?">
<Param name="q" value="{searchTerms}"/>
</Url>
</SearchPlugin>
  • Embeds Java Script code designed to show adverts for the following resource on the pages visited by the user: 
    http://be***n.ru
  • Changes the name of the attacker's server to which the trojan is directed;
  • Clears the contents of the system registry branch: 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History]
    the trojan therefore resets the permit or blocks the "cookie" for the websites;
  • When the user uses the browser, it redirects the user to the resources indicated by the attacker;
  • It creates the following system registry keys: 
    [HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<uniqueNum>"

[HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
"(Default)" = ""

[HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"


    Removal instructions

    If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

    1. Restart the computer in "safe mode" (when starting up, press F8, then select "Safe Mode" from the Windows start menu).
    2. Delete the system registry keys (how to work with the registry?): 
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol" = "%APPDATA%\netprotocol.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netprotocol"="%System%\netprotocol.exe"

[HKLM\Software\Microsoft\Netprotocol]
"UniqueNum" = "<uniqueNum>"

[HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
"(Default)" = ""

[HKLM\Software\Classes\MIME\Database\Content Type\application/x-javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKLM\Software\Classes\MIME\Database\Content Type\text/javascript]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
    3. Restore the original system registry parameters (how to work with the registry?): 
      [HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3B}]
"DisplayName"
"URL"=
    4. Delete the following files: 
      %APPDATA%\netprotocol.exe
%System%\netprotocol.exe
%WorkDir%\netprotdrvss
%WorkDir%\System.log
%System%\operaprefs_fixed.ini
%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\user.js
%APPDATA%\Mozilla\Firefox\Profiles\<user profile directory>.default\searchplugins\webvolta.xml
    5. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
    6. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?): 
      %Temporary Internet Files%
    7. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


    md5: 6AFB00FE492DB4893D746263FA9BE9F7
    sha1: 35176CB60F9D476B4FEC5DD959200CFD80FF98A7


    НОВОЕ НА САЙТЕ

    13 мая 2024 года

    В 2023 году одними из самых функциональных опасностей возобновил стали троянские приложения Trojan.AutoIt, сотворенные с применением скриптового языка AutoIt. Они распространяются в составе иных вредных приложений так будто затрудняют их обнаружение. а уж уж уж уж уж уж уж уж тоже наблюдалась высочай... Вирусные новости

    SPEAKERMARKET — маркетплейс спикеров. Вы организатор мероприятия и вам нужен спикер? Разместите запрос, получите предложения от спикеров, выберите наиболее подходящего. Вы спикер и хотите выступать на мероприятиях? Зарегистрируйтесь на сайте, […]

    The post SPEAKERMARKET — маркетплейс спикеров, найти спикера... Новости Безопастности

    7 мая 2024 года

    С целью коррекции ошибок так что усовершенствования свойства сертифицированного программного изделия Dr.Web Enterprise Security Suite, обеспечивающего антивирусную защиту, управление так что мониторинг любых узлов корпоративной сети, в приложениях формуляра произведены изменения.

    Для коррекции ошибки в таблицах Приложени... Антивирус Dr.Web

    4 мая 2024 года

    Вирусным аналитикам фирме «Доктор Веб» поступило на разыскание приложение для ОС Android, которое содержало троян-кликер, неприметно раскрывающий маркетинговые веб-сайты настолько ровно выполняющий крики на веб-страницах. этакий троян умножать бытовать использован для скрытого показа рекламы, накручивания численности переходов по ссылкам, дизайна ... Горячая лента угроз и предупреждений о вирусной опасности!

    2 мая 2024 года

    Компания «Доктор Веб» информирует об обновлении дарового приложения Антивирус Dr.Web Light для Android.

    В новейшей версии 12.2.2 обновлено антивирусное ядро, которое появляется сердцем приложения так что гарантирует надежную защиту от любых типов вредного ПО, так что сбыта очень ожидаемая юзерами содействие ОС Android 1... Антивирус Dr.Web

    • Main menu


    Sub menu