backdoor: Rootkit.Win32.Agent.a
Risk level: Medium
virus Description
The sample is a “back doors” program which was developed by the “VC”, with “UPX” way of trying to evade signature scanning packers, packers after the size of “37,376″ bytes, the icon for the “
“, use the “exe” extension, through the file bundle, page trojan, download tools to download, etc. and spread. The main purpose is to control the virus, the user’s computer. When the user’s computer is infected with this virus, there will be no reason the system error, anti-virus software does not start automatically quit and found a large number of unknown processes and so on.
Infected OS
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7
Transmission
File bundle, page trojan, download tools to download
Manual Solution:
Manually delete files
1. Deleted% SystemRoot% \ system32 \ ZGu.dll
2. Deleted% SystemRoot% \ system32 \ drivers \ ietg.sys
Manually delete the Registry
1. Remove the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Ietg
Variable declaration:
% SystemDriver% system where the partition, typically “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”
Virus analysis:
1. The virus access to the system directory, created file directory% SystemRoot% \ system32 \ ZGu.dll in the system.
2. Loading% SystemRoot% \ system32 \ ZGu.dll, create a keyboard and mouse message hook, monitor user information.
3. Create file batch% SystemDriver% \ Ck7YjX.bat, self-delete.
4.% SystemRoot% \ system32 \ drivers \ Ietg.sys create driver services, and registry keys HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Ietg, for self-starting.
5. To create the specified thread links hacker network, the user machine’s processor type, operating system version, operating system, the default language and other information sent to the hacker specified URL. And wait for further orders hackers.
The virus creates a file:
% SystemRoot% \ system32 \ ZGu.dll (random name)
% SystemRoot% \ system32 \ drivers \ Ietg.sys
% SystemDriver% \ Ck7YjX.bat
Virus to create the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Ietg
Name: IMAGEPATH
Data: System32 \ drivers \ IETG.sys
Virus access to the network:
http://www .****. com.cn / update.php?
http://www .****. com.cn / api.php?
You recognize thus significantly when it comes to this matter, made me individually imagine it from numerous numerous angles. Its like men and women aren’t interested except it is something to accomplish with Woman gaga! Your own stuffs great. At all times take care of it up!
Thank you a bunch for sharing this with all people you actually recognise what you are talking approximately! Bookmarked. Kindly additionally talk over with my site =). We can have a hyperlink change agreement between us
WoW Gold kaufen…
[...]Every as soon as in a when we choose blogs that we study. Listed beneath would be the latest websites that we choose [...]…
2011…
F*ckin’ awesome things here. I’m very glad to see your post. Thanks a lot and i am looking forward to contact you. Will you kindly drop me a e-mail?…
Must Read For All Who Like Affiliating…
[...]When you know when doing your work you can do a lot more than when you have no skills…..
top dating sites…
These people can certainly control you ones own existence through thier outcome….
100 free dating sites…
Check this out……
www.eRealEstateLaJolla.com…
Search Ca homes for sale using our La Jolla and San Diego MLS real estate search. Receive email updates of Realtor listings with prices and blog for all your San Diego county real estate needs. Whether single-family houses, townhomes, luxury homes, bea…
heartburn and indigestion…
Websites worth visiting……
natural heartburn relief…
we like to honor many other internet sites on the web, even if they aren๏ฟฝt linked to us, by linking to them. Under are some webpages worth checking out…
2011…
Great wordpress blog here.. It’s hard to find quality writing like yours these days. I really appreciate people like you! take care…
Super Website…
[...] that is the end of this article. Here you’ll find some sites that we think you’ll appreciate, just click the links over[...]…
Symptoms Of Low Vitamin D…
please visit the sites we follow, including this one, as it represents our picks from the web…
2011…
Thanks for sharing excellent informations. Your site is so cool. I am impressed by the details that you have on this site. It reveals how nicely you understand this subject. Bookmarked this web page, will come back for extra articles. You, my pal, ROCK…
www.eRealEstateSanDiego.com…
Pacific Real Estate Broker serving all of your San Diego county real estate needs. Search Ca homes for sale using our MLS search. Receive email updates of Realtor listings with prices and blog. Whether single-family houses, townhomes, luxury homes, bea…
OH HAI…
Valuable information. Lucky me I found your website by accident, and I’m shocked why this accident did not happened earlier! I bookmarked it….
OH HAI…
I’d have to examine with you here. Which is not one thing I usually do! I take pleasure in reading a post that may make folks think. Additionally, thanks for permitting me to comment!…
OH HAI…
Just wish to say your article is as astonishing. The clearness in your post is simply excellent and i can assume you are an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks …
OH HAI…
I have been absent for some time, but now I remember why I used to love this web site. Thank you, I’ll try and check back more frequently. How frequently you update your web site?…
OH HAI…
What’s Happening i am new to this, I stumbled upon this I’ve found It positively helpful and it has helped me out loads. I hope to contribute & aid other users like its aided me. Great job….
OH HAI…
I got good info from your blog…
tennis club…
[...]we like to honor a lot of other web websites on the net, even if they aren?t linked to us, by linking to them. Beneath are some webpages really worth checking out[...]…
OH HAI…
Thanks, I’ve recently been searching for information about this subject for ages and yours is the greatest I have discovered so far. But, what about the bottom line? Are you sure about the source?…
bulldog for sale…
[...]please pay a visit to the web-sites we stick to, including this a single, as it represents our picks in the web[...]…
trans…
[...]below you?ll obtain the link to some sites that we think you should visit[...]…
video porno…
[...]we like to honor several other world-wide-web websites around the net, even though they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out[...]…
Google…
[...]below you?ll find the link to some web-sites that we assume you ought to visit[...]…
You should check this out……
[...] Wonderful story, reckoned we could combine a few unrelated data, nevertheless really worth taking a look, whoa did one learn about Mid East has got more problerms as well [...]………
نصل باعلانك الى فضائات لاتتخيلها راسلنا لنشر روابط موقعك في 10000 مدونة…
Auto Trackback By http://bit.ly/nOtUqT ترافيك اب…
iddaa tahminleri…
spor oyunları…
ukash kart…
ukash…
ukash kart…
ukash…
borsa…
borsa haberleri…
h-c-g…
Super day for blogging….
Como tocar la guitara…
Aprender a tocar la guitara electrica…
polyester depo…
zeytin turşu deposu…