Вы находитесь на странице: 1из 8

Trojan.Win32.FakeAV.

aqil
Backdoor.Win32.Small.kaj
Trojan.Win32.Qhost.lxa
Trojan.Win32.Qhost.rij
...jan-Downloader.Win32.Small.kzq

Trojan.Win32.FakeAV.aqil


,
. Windows (PE-EXE ). 17408 .
. 25 .
++.


,
URL :
http://tamarer.com/flash5.exe
http://paleenem.com/flash5.exe

.
:
%WinDir%\Temp\_ex-68.exe
%WinDir%\Temp\_ex-08.exe



,
:
1. (
, ).
2. :
3. %WinDir%\Temp\_ex-68.exe
4. %WinDir%\Temp\_ex-08.exe

5.

Backdoor.Win32.Small.kaj


,
. Windows (PE EXE-).
4096 . C++.


:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"messenger"= "<WorkDir>\<_>"



,
:
4455



,
:
1. (
, ).
2. ( ?):
3. [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
4. "messenger"= "<WorkDir>\<_>"

5.

Trojan.Win32.Qhost.lxa


,
. Windows (PE EXE-).
65536 . Visual Basic.


:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleUpdate"="\< >"


:
c:\sysb.bat

,
:

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"= 1
"AllowTSConnections"= 1

" ", :
[HKLM\System\CurrentControlSet\Control\Terminal Server]
"fAllowToGetHelp"= 1

:
central de seguranca
wscsvc
SharedAccess

:
c:\windows\system32\drivers\etc\hosts

:
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115
199.238.144.115

visanet.com.br
www.visanet.com.br
www.openbank.es
openbank.es
www.lacaixa.es
lacaixa.es
www.bancoreal.com.br
www.real.com.br
www.real.com.br
www.itau.com.br
citibank.com.br
www.citibank.com.br
www.pagamentodigital.com.br
pagamentodigital.com.br
www.cartaobndes.gov.br
cartaobndes.gov.br
americanas.com.br
www.americanas.com.br
americanas.com
www.americanas.com

URL :

http://www.cyprianosom.com.br/images/atual.txt
http://www.ecep.com.br/img/atual.gif

:
<WorkDir>\atual.txt
<WorkDir>\atual.exe

"atual.exe".

:
avenger - Bloco de notas



,
:
1. " " .
2. (
, ).
3. ( ?):
4. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
5. "GoogleUpdate"="<WorkDir>\< >"

6. ( ?):
7. [HKLM\System\CurrentControlSet\Control\Terminal Server]
8. "fDenyTSConnections"= 1
9. "AllowTSConnections"= 1
10.
11.
[HKLM\System\CurrentControlSet\Control\Terminal Server]
12.
"fAllowToGetHelp"= 1

13. :
c:\windows\system32\drivers\etc\hosts

:
# (C) (Microsoft Corp.), 1993-1999
#
# HOSTS, Microsoft TCP/IP
Windows.
#
# IP- .
# . IP
# ,
.
# IP- .
#
# ,

# (, ),

# '#'.
#
# :
#
#
102.54.94.97
rhino.acme.com
#
38.25.63.10
x.acme.com
127.0.0.1

#
# x

localhost

14. :
15.
16.
17.

<WorkDir>\atual.txt
<WorkDir>\atual.exe
c:\sysb.bat

18.

Trojan.Win32.Qhost.rij


. Windows
"%System%\drivers\etc\hosts". 6934 .


"%System%\drivers\etc\hosts",
(DNS) IP-.
:
127.0.0.1 888.qq2233.com
127.0.0.1 www.qq2233.com
127.0.0.1 qq2233.com
127.0.0.1 www.rising.com
127.0.0.1
v.onondown.com.cn
127.0.0.2
ymsdasdw1.cn
127.0.0.3
h96b.info
127.0.0.1 virustotal.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.cnnod32.cn
127.0.0.1 www.lanniao.org
127.0.0.1 www.nod32club.com
127.0.0.1 www.dswlab.com
27.0.0.1 bbs.sucop.com
127.0.0.1 www.virustotal.com
127.0.0.1 tool.ikaka.com
127.0.0.1 360.qihoo.com
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
61.151.253.45 www.baidu.com
61.151.253.45 www.soso.com
61.151.253.45 www.sogou.com

61.151.253.45 soso.com
61.151.253.45 sogou.com
61.151.253.45 baidu.com
61.151.253.45 www.hao123.com
61.151.253.45 hao123.com
61.151.253.45 zhidao.baidu.com
61.151.253.45 tieba.baidu.com
61.151.253.45 www.qq.com
61.151.253.45 www.youdao.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com

,
IP.



,
:
1. %System%\drivers\etc\hosts,
(, Notepad).
. hosts
:
2.
3.
4.
5.
6.
7.

# (C) (Microsoft Corp.), 1993-1999


#
# HOSTS, Microsoft TCP/IP Windows.
#
# IP- .
# . IP-

8. # ,
.
9. # IP- .
10. #
11. # ,
12. # (, ),

13. # '#'.
14. #
15. # :
16. #
17. #
102.54.94.97
rhino.acme.com
#
18. #
38.25.63.10
x.acme.com
# x
19.
20. 127.0.0.1
localhost

21.

Trojan-Downloader.Win32.Small.kzq


,
.
Windows (PE-EXE ). 16384 .
. 54 . ++.



:
f001adde32815f8d17385ec7d81e52ea

URL:
http://promo.vicandtish.com/dbg.php
http://senior.byte4byte.com/update.php?safebrowsing=VCXBNMBVCBNYTRZKHJK
http://senior.byte4byte.com/update.php?safebrowsing=JHBGFCFZFSHVDXHJKJHG

.

:
%Document and Settings%\%Current User%\%AppData\%\<rnd>.exe

<rnd> - , "XN0HF8xR"
"s2ve2g06".
.
.



,
:
1. ( " ") .
2. :
%Document and Settings%\%Current User%\%AppData\%\<rnd>.exe

3. Temporary Internet Files,


( Temporary
Internet Files?).
4.

TOP ANTIVIRUS
01.
02.
03.
04.
05.
06.
07.

Kaspersky Anti-Virus
BitDefender Antivirus
Avast Antivirus
Norton Antivirus/ Internet Security
McAfee Antivirus
Panda Antivirus Pro 2009
ZoneAlarm Anti-virus 2009

08. ESET NOD32 Antivirus


09. AVG Antivirus
Kaspersky Antivirus 2012 este bine cunoscut pentru performana rapid i capaciti uimitoare de
securitate. Software-ul este declarat a fi unul dintre cele mai rapide software-ul antivirus care nu
incetineste calculatorul, la toate. De asemenea, acesta ofer o protecie maxim mpotriva virusului i a
altor forme de ameninare, on-line i / sau offline. Complet compatibil cu Windows 7, Kaspersky ofer
software de securitate pentru calculatoarele personale, calculatoare de afaceri i ntreprinderi. De
asemenea, Kaspersky ofer software antivirus pentru desktop-uri, notebook-uri, calculatoare Mac si
dispozitive mobile. Kaspersky ofer cele mai bune software-ul antivirus pentru computere de afaceri i
cele mai bune noastre alese enterprise software-ul antivirus.

Antivirus foloseste algoritmi avansate tehnologii i metode pentru a identifica riscurile de securitate i a
ameninrilor blocuri, chiar nainte ca acestea s ncercai s duna computerului dumneavoastr.
Acesta este folosit de milioane de utilizatori de computere din ntreaga lume i, de asemenea, preul
software-ul antivirus este destul de accesibil.